Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.QT.Gen [Threat Variant Name]

Category trojan
Aliases (Kaspersky) (McAfee)
  Trojan.Zbot (Symantec)
Short description

Win32/Spy.Zbot.QT.Gen is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­%variable2%.exe

The trojan may create the following files:

  • %appdata%\­%variable3%\­%variable4%.tmp
  • %appdata%\­%variable3%\­%variable4%.%variable5%

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable6%" = "%appdata%\­%variable1%\­%variable2%.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%variable4%]
    • "%variable7%" = %configurationdata%

A string with variable content is used instead of %variable1-7%, %configurationdata% .

Information stealing

The trojan collects sensitive information when the user browses certain web sites.

The trojan collects information related to the following applications:

  • CoreFTP
  • Far Manager
  • Far Manager 2
  • Filezilla
  • FlashFXP
  • FTP Commander
  • IPSwitch
  • SmartFTP
  • Total Commander
  • WinSCP
  • WS_FTP

The trojan collects the following information:

  • digital certificates
  • cookies
  • passwords
  • Windows Protected Storage passwords and credentials

The trojan can send the information to a remote machine.

Other information

The trojan hooks the following Windows APIs:

  • PFXImportCertStore (crypt32.dll)
  • GetFileAttributesExW (kernel32.dll)
  • PR_Close (nspr4.dll)
  • PR_OpenTCPSocket (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • LdrLoadDll (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • NtCreateUserProcess (ntdll.dll)
  • GetClipboardData (user32.dll)
  • TranslateMessage (user32.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • closesocket (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)

The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet). The trojan contains an URL address. The HTTP protocol is used.

It can execute the following operations:

  • monitor network traffic
  • steal information from the Windows clipboard
  • remove itself from the infected computer
  • shut down/restart the computer
  • capture screenshots
  • set up a proxy server
  • log keystrokes
  • run executable files
  • download files from a remote computer and/or the Internet
  • block access to specific websites

Please enable Javascript to ensure correct displaying of this content and refresh this page.