W32/Zbot.AAU!tr.spy
Analysis
W32/Zbot.AAU!tr.spy is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as W32/Zbot.AAU!tr.spy may have varying behavior.
Below are examples of some of these behaviors:
- Creates a folder with a randomized name in the Temporary folder, then drops a copy of itself there using a randomized file name.
- Creates the following registry entry to automatically execute its dropped copy every time the infected user logs on:
- key: HKCU\Software\Microsoft\Windows\CurrentVersioin\Run\[RandomFileName_1]
- value: [RandomFileName_1]
- data: undefinedTempundefined\[RandomFolderName]\[RandomFileName_1].exe
- Drops the following file, which can stop a number of security programs from working:
- undefinedSystemundefined\drivers\[RandomFileName_2].sys
- Drops the file [RandomFileName_3].bat to the Temporary folder for self-deletion.
- Deletes its original copy from the current folder.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |