W32/Zbot.YW!tr
Analysis
W32/Zot.YW!tr.spy is a generic detection for a trojan that could steal user information and send it to a remote server.
Below are examples of some of its behaviors:
- Creates a folder with a randomized name in the Application Data folder, then drops a modified copy of itself using a randomized file name.
- Creates the following registry entry to automatically execute its dropped copy every time the infected user logs on:
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Random SID]
- value: [Random SID]
- data: undefinedAppDataundefined\[RandomName1]\[RandomName2].exe
- Creates the following registry entry to automatically add itself into firewall exception list to prevent its network connection from being intercepted:
- key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- value: undefinedWindowsundefined\explorer.exe
- data: undefinedWindowsundefined\explorer.exe:*:Enabled:Windows Explorer
- Drops the file tmp[RandomName5].bat into the Temporary folder for self-deletion.
- Attempts to connect to angry{Removed}.ru.
- Deletes its original copy from the current folder.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |