Analysis
W32/Zbot.CYP!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Zbot.CYP!tr may have varying behavior.
Below are examples of some of these behavior:
- It drops the following modified copy of itself:
- undefinedAppDataundefined\[RandomFoldername]\[RandomFilename].exe, e.g., undefinedAppDataundefined\Icel\ykwy.exe
- The malware applies the following autostart registry modification to be able to start itself automatically.
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- [RandomFilename] = "undefinedAppDataundefined\[RandomFoldername]\[RandomFilename].exe", e.g., ykwy = "undefinedAppdataundefined\Icel\ykwy.exe"
This automatically executes the dropped file every time the infected user logs on.
- The malware injects codes into explorer.exe.
- The original copy of the malware is deleted after execution.