VirusW32/Zbot.DHN!tr
Analysis
W32/Zbot.DHN!tr is a generic detection for a type of trojan that drops other malwares onto the compromised computer. Since this is a generic detection, files that are detected as W32/Zbot.DHN!tr may have varying behavior.
Below are examples of some of these behavior:
- It drops the following file:
- undefinedAppDataundefined\{Random}\{Random}.exe : This is a copy of the malware, with some differences in the overlay. This file is also detected as W32/Zbot.DHN!tr.
- It deletes itself from the current folder.
- It uses the following mutex:
- Local\{12025F06-7B2C-2590-E830-61A38AC33DC5}
- It adds the following registry entry:
- key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: {Random}
- data: undefinedAppDataundefined\{Random}\{Random}.exe
Recommended Action
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2021-02-09 | 83.91300 | Sig Updated |
| 2020-11-24 | 82.07300 | Sig Added |
| 2020-11-24 | 82.06900 | Sig Updated |
| 2020-11-24 | 82.06600 | Sig Added |
| 2020-06-02 | 77.87200 | Sig Updated |
| 2020-03-14 | 75.96500 | Sig Added |
| 2019-04-02 | 67.50600 | Sig Updated |
| 2019-02-26 | 66.67400 | Sig Updated |
| 2019-02-26 | 66.67300 | Sig Updated |
| 2019-02-26 | 66.67200 | Sig Updated |