W32/Zbot.AAU!tr.spy

Analysis

W32/Zbot.AAU!tr.spy is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as W32/Zbot.AAU!tr.spy may have varying behavior.
Below are examples of some of these behaviors:

• Creates a folder with a randomized name in the Temporary folder, then drops a copy of itself there using a randomized file name.


• Creates the following registry entry to automatically execute its dropped copy every time the infected user logs on:
  
  • key: HKCU\Software\Microsoft\Windows\CurrentVersioin\Run\[RandomFileName_1]
  • value: [RandomFileName_1]
  • data: undefinedTempundefined\[RandomFolderName]\[RandomFileName_1].exe


• Drops the following file, which can stop a number of security programs from working:
  
  • undefinedSystemundefined\drivers\[RandomFileName_2].sys


• Drops the file [RandomFileName_3].bat to the Temporary folder for self-deletion.


• Deletes its original copy from the current folder.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.