Microsoft security software detects and removes this threat.

This family of trojans can steal your personal and financial information, and give a malicious hacker access and control of your PC. They can also lower your Internet browser security and turn off your firewall.

We have seen these threats download other malware, including threats from the Win32/Crilock and Win32/Necurs families. Crilockransomware can encrypts your files and then demand money to unlock them. Necurs malware can disable your security software and redirect your web browser.

Win32/Zbot can be installed on your PC via spam emails and hacked websites, or packaged with other malware families.

Find out ways that malware can get on your PC.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Prevent malware infections from spam emails
Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Zbot is a family of trojans that are created by kits known as "Zeus". These kits are bought and sold on the cyberworld black market.

They can monitor online banking activities by hooking API addresses and injecting code into webpages.

Distribution methods

Win32/Zbot is a widespread and pervasive malware family. It uses different methods to spread and infect your PC.

Downloaded by other malware

Win32/Zbot might be installed by other malware or exploit families. These families download Zbot as part of their criminal activity to steal information about your PC:

Win32/Zbot might also be downloaded as a payload for exploit kits like Blackhole (we detect this as Blacole), and for exploits including:

Spam email

The trojan might arrive in a spam email.

The following are examples of a few spam messages that contain Zbot:

Subject: <Courier name> Failure Delivery Notification Message

Subject: <Social network site> Password Reset Confirmation
Attachment: <Social network site>

Subject: <Software company> Software Critical Upgrade Notification ID: RA4NFDKPJBD
Attachment: <Software company>Systems-Software_Critica

Subject: Important Account Information from <Company name> TRACK-ID: 70341011278
Attachment: <Company name>-Account-Status-Notification-Dec-2011.exe

Subject: Your credit balance is over its limits.

Phishing pages and exploit kits

Exploit kits can generate versions of Win32/Zbot to spread to vulnerable PCs.

Spam emails contain the following information, including a link to a phishing page disguised as a social networking, courier, or online banking site. Instead, it redirects you to sites containing Win32/Zbot generated by exploit kits:

  • Subject: New login system
  • Subject: Password reset

The following is an example of a spam email that directs users to phishing pages hosting the trojan:

Subject: your <Company Name> money transfer has been authorized

Bundled with other malware

Some variants of Zbot are bundled with an exploit component detected as Exploit:Win32/CplLnk.B.

Remote Desktop Service

If your PC is running Remote Desktop Service (RDS), Zbot might try to run a process for every connected RDS session and create a copy of itself in the startup folder:

%RDSUserProfilePath%\Start Menu\Programs\Startup\<random letters>.exe

where %RDSUserProfilePath% is generated by enumerating each user in this registry key using a unique security identifier (SID):

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Sets value: ProfileImagePath

For example, if the administrator account SID is:


Then the profile path is:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-2111687655-839522115-500

If ProfileImagePath is:

%SystemDrive% \Documents and Settings\Administrator

Then the dropped file is:

C:\Documents and Settings\Administrator\Programs\Startup\<random letters>.exe

This means that, as your PC is remotely connected to other PCs, there is a risk that other PCs will be infected as well.

Removable, fixed, shared and remote drives

Some variants of Zbot might arrive as an infected file. These infected files are detected as either Virus:Win32/Zbot.C or Virus:Win32/Zbot.C.


Some versions of Win32/Zbot drop copies of itself as any of the following files:

It also drops the following files, containing encrypted data used by the trojan, to the folder <system folder>\wsnpoem\:

  • audio.dll
  • video.dll

It also creates either of the following encrypted log files, where it stores the stolen data:

Win32/Zbot changes the registry to ensure that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\<malware file>"

where <malware file> is any of the file names mentioned above.

Other versions of Win32/Zbot drops copies of itself as a randomly named file:

  • %APPDATA% \<random letters>\<random letters>.exe
  • %TEMP% \<random letters>\<random letters>.exe

For example, C:\Documents and Settings\Administrator\Application Data\ecymy\huojq.exe.

Some variants make the following changes to the registry to ensure that they run each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "{GUID of Windows volume}" (for example, "{449829B8-9322-5694-4C31-974E87EDDDA5}")
With data: "%APPDATA%\<random letters>\<random letters>.exe" (for example, "C:\Documents and Settings\Administrator\Application data\ecymy\huojq.exe")

In subkeys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random number>", for example, "2772969301"
With data: "%APPDATA%\<random letters>\<random letters>.exe", for example, "%APPDATA%\ecymy\huojq.exe"

Some variants of Zbot also create a scheduled job that runs regularly. The job might be named Security Center Update - <random nine digit number>.

It also creates this registry entry as part of its installation process:

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
Sets value: "Windows"
With data: "<system folder>\csrss.exe objectdirectory=\windows sharedsection=1024,1536,512 windows=on subsystemtype=windows serverdll=basesrv,1 serverdll=winsrv:userserverdllinitialization,3 serverdll=winsrv:conserverdllinitialization,2 profilecontrol=off maxrequestthreads=16"

Zbot tries to injecet code into the address space of all running processes, matching the privilege of the currently logged on user. If it fails, the trojan instead injects its code into all user-level processes (like explorer.exe, iexplore.exe and so on). This behavior hides the trojan from security applications.

It also hooks the following Windows system APIs to help it capture sensitive data, for example, online banking and shopping, email credentials and network information:

    • PR_Close
    • PR_OpenTCPSocket
    • PR_Poll
    • PR_Read
    • PR_Write
    • LdrLoadDl
    • NtCreateThread
    • NtCreateUserProcess
    • RtlUserThreadStart
    • ZwCreateThread
    • GetFileAttributesExW
    • HttpQueryInfoA
    • HttpQueryInfoW
    • HttpSendRequestA
    • HttpSendRequestExA
    • HttpSendRequestExW
    • HttpSendRequestW
    • InternetCloseHandle
    • InternetQueryDataAvailable
    • InternetReadFile
    • InternetReadFileExA
    • InternetReadFileExW
    • InternetSetOptionA
    • InternetSetStatusCallbackA
    • InternetSetStatusCallbackW
    • InternetWriteFile
  • WS2_32.DLL
    • closesocket
    • recv
    • send
    • WSAGetOverlappedResult
    • WSARecv
    • WSASend
  • GDI32.DLL
    • CallWindowProcA
    • CallWindowProcW
    • DefDlgProcA
    • DefDlgProcW
    • DefFrameProcA
    • DefFrameProcW
    • DefMDIChildProcA
    • DefMDIChildProcW
    • DefWindowProcA
    • DefWindowProcW
    • OpenInputDesktop
    • RegisterClassA
    • RegisterClassExA
    • RegisterClassExW
    • RegisterClassW
    • SwitchDesktop
  • USER32.DLL
    • BeginPaint
    • EndPaint
    • GetCapture
    • GetClipboardData
    • GetCursorPos
    • GetDC
    • GetDCEx
    • GetMessageA
    • GetMessagePos
    • GetMessageW
    • GetUpdateRect
    • GetUpdateRgn
    • GetWindowDC
    • PeekMessageA
    • PeekMessageW
    • ReleaseCapture
    • ReleaseDC
    • SetCapture
    • SetCursorPos
    • TranslateMessage
    • PFXImportCertStore
    • SSL_read
    • SSL_write
    • DecryptMessage
    • DeleteSecurityContext
    • EncryptMessage

If the infected PC runs Remote Desktop Service (RDS), Zbot creates copy of itself to the default user startup folder as a randomly named file:

<DefaultUserPath>\Programs\Startup\<random letters>.exe

Examples of the <DefaultUserPath> are:


Downloads other malware, including ransomware

Win32/Zbot downloads variants of the Win32/Crilock family. This is a family of ransomware that encrypts the files on your PC and then demands money to unlock them.

You can help protect your PC from ransomware by reading more about Win32/Crilock and our help topics about ransomware.

Disables Windows Firewall

Zbot makes these changes to the registry to disable the Windows Firewall:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Changes value: "EnableFirewall"
With data: "0"

It also stops these processes:

  • Outpost Firewall - outpost.exe
  • Zone Alarm Firewall - zlclient.exe

Changes Firewall settings

Zbot makes the following changes to the registry to prevent Windows Firewall from blocking the threat's UDP port:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Changes value: "DisableNotifications"
With data: "1"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Changes value: "<UDP port>:UDP"
With data: "<UDP port>:udp:*:enabled:udp <UDP port>"

Lowers Internet Explorer security

Win32/Zbot lowers Internet Explorer web browser security settings by making these changes to the registry:

Disables phishing filtering:

In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "Enabled"
With data: "0"
Sets value: "EnabledV8"
With data: "0"

Prevents the removal of expired Internet Explorer browser cookies:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Sets value: "CleanCookies"
With data: "0"

Lowers Internet Explorer Internet zone security settings:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Set value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"

Lowers Firefox security

Win32/Zbot might change the settings for the web browser Mozilla Firefox including:

  • Disable your ability to clear Internet cookies
  • Disable the display of warning messages when viewing mixed secured and unsecure webpages
  • Disable the display of warning messages when submitting data to unsecure pages

Lets a malicious hacker access your PC

Win32/Zbot lets a malicious hacker gain access and control your PC, to varying degrees. Its level of control depends on the information in the configuration data in each particular variant.

The trojan can do several actions, including:

  • Reboot/shut down your PC
  • Uninstall Zbot
  • Update Zbot and its configuration file
  • Search and remove files and directories
  • Log you off your PC
  • Run a program
  • Steal or delete Internet Explorer cookies
  • Steal or delete certificates
  • Block or unblock URLs
  • Change the Internet Explorer homepage
  • Steal your FTP credentials
  • Steal your email login credentials
  • Steal your Flash Player credentials

Downloads configuration data file

Some variants of Zbot download a configuration file from a remote server that determines how the trojan will behave. The trojan can generate up to 1020 pseudo-randomly named domains, and tries to connect with the generated list to download a configuration file. The generated domain names are based on the system date and time and have one of these suffixes:

  • biz
  • com
  • info
  • net
  • org
  • ru

Some examples include:


The configuration file contains data used by the malware like:

  • Locations from which to download updates for Zbot
  • Locations from which to download additional data files
  • The version of the malware
  • Online financial institutions to target
  • HTML and JavaScript code for doing its data stealing payload

Your PC checks a predefined list that contains 20 IP addresses and ports of other infected PCs. Upon successful contact, the configuration file containing the C&C server is fetched from the other infected PCs (the "peers"). The list of peers is updated whenever other peers contact the installed copy of Zbot. The information of up to 100 peers, IP addresses, and UDP port combinations can be stored.

If none of the initial 10 peers respond, the trojan can generate up to 1000 pseudo-randomly named domains, and tries to connect with the generated list to download a new peer list. The data read from the domain is RSA-signed and validated through the public key store in the trojan's body.

Steals sensitive information

Win32/Zbot hooks APIs used by Internet Explorer and Mozilla Firefox; it does this to monitor your online activities. It also injects HTML code into target websites to steal login credentials, when you visit these websites.

The trojan steals the following sensitive information from your PC:

  • Digital certificates
  • Internet Explorer and Firefox cookies
  • Cached passwords
  • Logged keystrokes
  • Images of screen and window captures
  • Passwords and other details (like credit card numbers), as you enter them in to targeted websites
  • Bitcoin wallet credentials (through monitoring Bitcoin clientsbitcoin-qt.exe and bitcoind.exe)

It also monitors online activity by intercepting targeted websites listed in the configuration file to steal your personal information like user name, password and credit card details.

The following are some of the target websites found in the configuration file of Zbot:


Steals FTP credentials

The trojan collects FTP credentials (IP, port, user name, and passwords) from the following FTP software:

  • CoreFTP
  • FAR/FAR2
  • FileZilla
  • FlashFXP
  • FTP Commander
  • SmartFTP
  • Total Commander
  • winscp
  • ws_ftp

Steals Windows Mail and Windows Live mail credentials

If your PC is running on Windows XP or below, Win32/Zbot uses the COM libraries msoeacct.dll and wab32.dll to capture these Windows mail account details:

  • Account name
  • Email address
  • Server
  • User name
  • Password

The .dll files are searched in the directory defined in the registry key:


Otherwise, if running on Windows Vista, Windows 7, or Windows 8, the trojan captures the credentials by parsing the Windows mail folder, specified in this registry subkey:

HKCU\SOFTWARE\Microsoft\Windows Mail\Store Root\

Steals "Full Tilt Poker" credentials

Win32/Zbot might capture logon credentials for the online gaming program Full Tilt Poker. The trojan resets logon data by deleting the following registry value:

HKCU\Software\Full Tilt Poker\UserInfo\UserName

The malware then monitors for logon activity for the game, and captures any credentials you enter.

It also logs keystrokes and gets desktop and window snapshots of the infected PC.

Tampers the Trusteer security components

If the Trusteer .dll components rooksbas.dll and rapportgp.dll exist on your PC, the trojan will to patch the .dlls in memory to avoid being detected.

Performs click-fraud

Zbot has been observed to be involved in click-fraud operations. It connects to certain C&C servers to receive information from the click-fraud operator. Some of the servers it connects to are:


Once connected, Zbot receives information as to what affiliate company would benefit from click-fraud.

Analysis by Rodel Finones, Zarestel Ferrer, and Patrick Estavillo


The following could indicate that you have this threat on your PC:

  • You have these files:
    • <system folder> \ntos.exe
    • <system folder>\sdra64.exe
    • <system folder>\twex.exe
    • <system folder>\wsnpoem\audio.dll
    • <system folder>\wsnpoem\video.dll
    • <system folder>\twain_32\user.ds
    • <system folder>\lowsec\local.ds
    • <system folder>\lowsec\user.ds

  • The following programs might stop running for no obvious reason:
    • Outpost Firewall - outpost.exe
    • Zone Alarm Firewall - zlclient.exe


Alert level: Severe
This entry was first published on: Apr 30, 2010
This entry was updated on: Jul 06, 2015

This threat is also detected as:
  • Zeus (other)
  • Wsnpoem (Symantec)
  • Citadel (other)