Zbot is a virus that has been striking for several years on the internet. Quite widespread, cybercriminals use this virus in order to identify and steal your banking data and other sensitive personal information (phone numbers, emails, addresses) stored in your computer so as to resell them. Due to this operation mode, it is said that Zbot is part of Stealer.
Zbot is mainly spread in three ways:
- Via exploits on several websites.
- Via email, for example mails for fake updates of Microsoft.
- Via downloading cracks, hacks, serials and so forth.
During recent years, Zbot played cat and mouse with the various anti-viruses. The malware has been mostly changed in order to pass unnoticed. Zbot uses particularly self-defense technology that allows it to hide executable files as well as the active processes on an infected computer. That’s the reason why you should have an anti-virus up to date and in particular something like Malwarebytes AntiMalware (free version or not) which is specialized in this kind of infection.
Main symptoms by a Zbot infection
One or more files can appear in the folders system32 and AppData:
- ntos.exe
- twex.exe
- twext.exe
- oembios.exe
- sdra64.exe
- lowsec\\local.ds
- lowsec\\user.ds
System32 and AppData are Windows system folders. Depending on the version of Windows operating system installed, the location of these files can vary. You can find them:
- On Windows Vista, 7, 8 in: C:\Windows\System32 and C:\Users\AppData.
- On Windows XP in: C:\Windows\system32 and C:\Documents and Settings\Application Data.
Entries that indicate suspicious files and are mentioned above can also be found in the registry:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run