W32/Zbot.ANM!tr

description-logoAnalysis


  • Upon execution, it copies itself to the following:
    • undefinedSystemundefined\[Random].exe

  • The following registry modifications are applied:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
      • Debugger = "[Random].exe"

  • This malware performs a DNS query of the followiing domains:
    • MATFIC.COM
    • CUBEPAL.COM
    • DISIO.NET
    • raforngorh.mrbasic.com
    • pydneofnro.servegame.com

  • After execution, the original copy of the malware deletes itself.


recommended-action-logoRecommended Action

FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-04-25 91.02686
2023-03-28 91.01840
2023-03-19 91.01575
2023-02-16 91.00651
2023-02-16 91.00640
2023-02-15 91.00594
2023-01-31 91.00154
2022-12-21 90.08923
2019-05-03 68.25000 Sig Added
2019-05-03 68.24700 Sig Updated