Trojan-Spy.Win32.Zbot is a spyware virus that is designed to gathers information from the computer and steals sensitive information.
Analysis date: 26th, July, 2013
Risk Impact/Damage: High
Behavior and damage of Trojan-Spy.Win32.Zbot:
• Create registry entries: HKEY_CURRENT_USER\Software\Microsoft\Zokiixky
• Create [*Random*].exe file under %APPDATA%\[*Random*]\
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is “C:\Documents and Settings\<user>\Application Data”. For Windows Vista, 7, and 8, the default location is “C:\Users\<user>\AppData\Roaming”.
• Start alupim.exe
Behavior and analysis about alupim.exe virus:
• Create registry entries under: HKEY_CURRENT_USER\Software\Microsoft\Zokiixky
• Hijack system process, get explorer access permission to replace its own permission, copy itself to explorer and run it.
• Copy its handle to other running process to avoid being deleted by other files.
• Add registry:
C:\Documents and Settings\Administrator\Application Data\Adcaub\ixka.exe
How to Remove Trojan-Spy.Win32.Zbot?
Automatically Removal Tool: Anvi Smart Defender
If you get infected with Spy.Win32.Zbot, we recommend that you run a full system scan. Alternatively, you can try manual method available below.
1. Boot your computer into safe mode or safe mode with networking;
2. Go to C:\Documents and Settings\Administrator\Application Data\, search the random.exe and then delete it.
3. Click on Start menu-> Click Run, then type “regedit” and edit following registry entries.
Locate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ and delete the random file registry.