W32/Zbot.YW!tr

Analysis

W32/Zot.YW!tr.spy is a generic detection for a trojan that could steal user information and send it to a remote server.
Below are examples of some of its behaviors:

• Creates a folder with a randomized name in the Application Data folder, then drops a modified copy of itself using a randomized file name.


• Creates the following registry entry to automatically execute its dropped copy every time the infected user logs on:
  
  • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Random SID]
  • value: [Random SID]
  • data: undefinedAppDataundefined\[RandomName1]\[RandomName2].exe


• Creates the following registry entry to automatically add itself into firewall exception list to prevent its network connection from being intercepted:
  
  • key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • value: undefinedWindowsundefined\explorer.exe
  • data: undefinedWindowsundefined\explorer.exe:*:Enabled:Windows Explorer


• Drops the file tmp[RandomName5].bat  into the Temporary folder for self-deletion.


• Attempts to connect to angry{Removed}.ru.


• Deletes its original copy from the current folder.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.