Warning message... Link to action
Informational message... Link to action
Win32/Zemot
Severe |Detected with Windows Defender Antivirus
Aliases: No associated aliases
Summary
Windows Defender detects and removes this threat.
The threat is used by other malware to download more malware onto your PC. This means that if you have this malware, it's highly likely you also have Win32/Kuluoz, Win32/Zbot, Win32/Rovnix, or others.
This malware is installed by Win32/Kuluoz. It can also get on your PC when you visit links to compromised or malicious websites sent in spam emails.
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
- Microsoft Windows Malicious Software Removal Tool
You should also run a full scan. A full scan might find hidden malware.
Advanced troubleshooting
To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.
Get more help
You can also ask for help from other PC users at the Microsoft virus and malware community.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
It will try to create the following registry entries and keys to mark its installation. This way, when it checks a remote server it knows if it needs to update itself or not.
In subkey: HKLM\<random>, for example HKCU\Software\Osnuafczni
Sets value: "License"
With data: "<version number of the malware", for example "415"
In subkey: HKCU\<random>, for example HKLM\Software\Osnuafczni
Sets value: "License"
With data: "<version number of the malware", for example "415"
Payload
Downloads updates and other malware
The threat connects to a remote server to download updates and other malware. The server address is hardcoded in the malware.
We have seen it connect to the following servers:
|
|
It then downloads an updated version of itself and other malware files, including variants of:
- PWS:Win32/Zbot - used for click fraud
- TrojanDropper:Win32/Rovnix - used to drop more malware on your PC
The downloaded file is saved as one of the following:
- %TEMP%\Java_Update_<random_characters>.exe, for example, %TEMP%\Java_Update_5a8bf3e9.exe
- %TEMP%\UpdateFlashPlayer_<random_characters>.exe, for example, %TEMP%\UpdateFlashPlayer_b61c21a2.exe
Here is what the infection chain looks like (at the time of analysis) as Zemot is dropped by an email generated by Kuluoz spambot:
Analysis by Patrick Estavillo
Prevention
Alerts from your security software might be the only symptom. You might start to see alerts about lots of different infections.
Concerned about incorrect detections?
If you suspect a file is malware or has been
incorrectly detected, submit the file for analysis.
