TROJ_ZBOT.PG

This Trojan arrives as a downloaded file from a certain URL.

It downloads a configuration file from a certain Web site. The said file contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains targeted bank-related Web sites to monitor from which it steals information.

Once users access any of the monitored sites, this Trojan starts logging keystrokes.

It saves gathered information in a file then sends it to a remote site through HTTP post.

It creates a mutex to ensure that only one instance of itself is running in memory.

It modifies the windows HOST file to restrict user to access certain domains.

It checks for the presence of processes which are related to Outpost Personal Firewall and ZoneLabs Firewall Client. It then terminates the said processes.

It has rootkit capabilities, which enables it to hide its processes and files from the user.

Related Items