Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.YU [Threat Variant Name]

Category trojan
Size 105984 B
Aliases Trojan-Spy.Win32.Zbot.ajws (Kaspersky)
  Suspicious.SillyFDC (Symantec)
  PWS:Win32/Zbot.gen!R (Microsoft)
Short description

Win32/Spy.Zbot.YU is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %system%\­d3dg86.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "UserInit" = "%originalvalue%, %system%\­d3dg86.exe,"

This causes the trojan to be executed on every system start.

The trojan may create the following files:

  • %system%\­folder\­l0cal.ds
  • %system%\­folder\­us3r.ds
  • %system%\­folder\­us3r.ds.lll

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "Enabled" = 0
    • "EnabledV8" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­InternetExplorer\­PhishingFilter]
    • "Enabled" = 0
    • "EnabledV8" = 0
Information stealing

Win32/Spy.Zbot.YU is a trojan that steals passwords and other sensitive information.

The following information is collected:

  • cookies
  • passwords
  • computer name
  • operating system version
  • Windows Protected Storage passwords and credentials

The trojan collects sensitive information when the user browses certain web sites.

The trojan can send the information to a remote machine.

Other information

The trojan hooks the following Windows APIs:

  • NtCreateThread (ntdll.dll)
  • NtCreateUserProcess (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • closesocket (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • GetClipboardData (user32.dll)
  • TranslateMessage (user32.dll)
  • PFXImportCertStore (crypt32.dll)

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. The HTTP protocol is used.

It may perform the following actions:

  • update itself to a newer version
  • block access to specific websites
  • monitor network traffic
  • steal information from the Windows clipboard
  • remove itself from the infected computer
  • run executable files
  • download files from a remote computer and/or the Internet
  • shut down/restart the computer
  • capture screenshots
  • set up a proxy server
  • log keystrokes
  • collect information about the operating system used
  • retrieve information from protected storage and send it to the remote computer
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.