W32/Zbot.FG!tr

Analysis

W32/Zbot.FG!tr is classified as a Trojan. Trojans have capabilities such as remote access connection handling, performing Denial of Service (DoS) or Distributed DoS (DDoS) attacks, capturing keyboard input, deleting files or objects, or terminating processes.

• undefinedSYSTEMundefined\lowsec\
• undefinedSYSTEMundefined\lowsec\local.ds
• undefinedSYSTEMundefined\lowsec\user.ds
• undefinedSYSTEMundefined\lowsec\user.ds.lll
• undefinedSYSTEMundefined\sdra64.exe

To automatically execute the file sdra64.exe  whenever Windows starts:

• key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• value: Userinit
• data: undefinedSYSTEMundefined\sdra64.exe

To terminate the Windows firewall service:

• key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
• value: EnableFirewall
• data: 0

• grafjasqq.[removed]

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.