W32/Zbot.DHN!tr
Analysis
W32/Zbot.DHN!tr is a generic detection for a type of trojan that drops other malwares onto the compromised computer. Since this is a generic detection, files that are detected as W32/Zbot.DHN!tr may have varying behavior.
Below are examples of some of these behavior:
- It drops the following file:
- undefinedAppDataundefined\{Random}\{Random}.exe : This is a copy of the malware, with some differences in the overlay. This file is also detected as W32/Zbot.DHN!tr.
- It deletes itself from the current folder.
- It uses the following mutex:
- Local\{12025F06-7B2C-2590-E830-61A38AC33DC5}
- It adds the following registry entry:
- key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: {Random}
- data: undefinedAppDataundefined\{Random}\{Random}.exe
Recommended Action
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2021-02-09 | 83.91300 | Sig Updated |
2020-11-24 | 82.07300 | Sig Added |
2020-11-24 | 82.06900 | Sig Updated |
2020-11-24 | 82.06600 | Sig Added |
2020-06-02 | 77.87200 | Sig Updated |
2020-03-14 | 75.96500 | Sig Added |
2019-04-02 | 67.50600 | Sig Updated |
2019-02-26 | 66.67400 | Sig Updated |
2019-02-26 | 66.67300 | Sig Updated |
2019-02-26 | 66.67200 | Sig Updated |