How to secure your computer from malicious programs of Trojan-Spy.Win32.Zbot family

In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab's products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.

At present Kaspersky Lab analysts detect wide spread of Trojan programs of Trojan-Spy.Win32.Zbot family. These programs are used by cyber-criminals to steal any bank information from computers. As a rule the work of the malware cannot be visually traced and is thus hard to detect on a victim-computer which is not protected by an anti-virus program. Additionally these programs use rootkit technologies as self-defense to hide their executable files and processes.

Programs of Trojan-Spy.Win32.Zbot family usually penetrate your computer when you visit infected Internet pages. However each cyber-criminal finds his own way how to use this malware and how to make it penetrate your computer.

You can secure your computer and your personal data from Trojan-Spy.Win32.Zbot by installing anti-virus software onto your PC and by updating the program regularly so that it would “know” new modifications of Trojan-Spy.Win32.Zbot . Kaspersky Lab applications will prevent your computer from being infected by Trojan-Spy.Win32.Zbot, and if your PC is already infected, will delete any traces of infection.

If you do not use any anti-virus programs you are strongly recommended to scan your computer for modifications of Trojan-Spy.Win32.Zbot with a special utility ZbotKiller.exe before you perform any online bank operations. If you detect any modifications, disinfect an infected system with the utility ZbotKiller.exe.

This article describes where programs of the Trojan-Spy.Win32.Zbot family usually save their data (but these files may be hidden), and how the utility ZbotKiller.exe can be launched.

Main symptoms of Trojan-Spy.Win32.Zbot infection

1. (One or several) files appear in the folders %windir%\system32 and %AppData%:

o
ntos.exe
o
twex.exe
o
twext.exe
o
oembios.exe
o
sdra64.exe
o
lowsec\\local.ds
o
lowsec\\user.ds

Information %windir%\system32 and %AppData% are Microsoft Windows system folders. Respective on the version of the OS installed, the path to these folders may vary:

+ Under Windows Vista the full paths to these folders are the following: C:\Windows\System32 and C:\Users\\AppData.
+ Under Windows XP Professional the full paths to these folders are the following: C:\WINDOWS\system32 and C:\Documents and Settings\\Application Data.

2. Links to the suspicious files mentioned above appear in the following system registry keys:

o
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit o
o
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

Methods of disinfection

A special utility ZbotKiller.exe should be used to disinfect systems infected with malicious programs Trojan-Spy.Win32.Zbot. The utility:

* performs quick system scan for infection



* finds and deletes a malicious code of known Trojan-Spy.Win32.Zbot modifications, which spread into other programs launched on the computer.



* deletes functionality of malicious programs used to hide malicious files and processes (rootkit).



* deletes malicious files and cleans the system registry from activity of Trojan-Spy.Win32.Zbot.

The utility ZbotKiller.exe can be launched either locally or remotely, if Kaspersky Administration Kit is implemented in the network.

To remove the malware locally

1. Download the archive ZbotKiller.zip and extract content into a separate folder on an infected (or potentially infected) computer.

2. Run the file ZbotKiller.exe.

Information When the scan is over an active window of the command prompt may be displayed on your computer monitor, in order to minimize the window press any button. For the window of the command prompt to close automatically it is recommended to run the utility with the parameter –y.

3. Wait until the scan is complete. No computer reboot is required.

To remove the malware via Administration Kit:

1. Download the utility ZbotKiller.zip and extract content into a separate folder.

2. In Administration Kit console create installation package for application ZbotKiller.exe. In the installation package settings on the Application step select the variant Make installation package for specified executable file.

Information In the field Executable file command line (optional) define the parameter –y to close the console window automatically once the utility work is over.

3. Create either a global or group task for remote installation of the package to designated computers and run the task. The utility ZbotKiller.exe can be run all computers in your network.

Run the task.

Switches to manage the utility ZbotKiller.exe from the command prompt:

-y - end program without pressing any key

-s - silent mode (without a black window)

-l - write info into a log

-v - extended log maintenance (should be entered with the -l switch)

-help - show additional information about the utility

For example, in order to scan a computer and to generate and write a detailed report into a file report.txt (which will be created in the setup folder of the utility ZbotKiller.exe), use the following command:

zbotkiller.exe -y -l report.txt -v

The parameter –y used in the command prompt will close the console window automatically once the utility work is over.