It is well known that Trojan.Zbot was created by the ZeuS tool kit, and recently it has added the ability to infect files to its bag of tricks. A recently discovered Trojan.Zbot variant searches for executable files in a predefined place and injects the executable files it finds with 512 bytes of code. It then modifies that program's entry point so that it is at the top of the injected code. The injected code is very simple and performs the following actions:
- Downloads a file from a URL embedded in the code.
- Executes the downloaded file.
- Executes the original code.
Part of the injected code
Even though antivirus products may delete the main component of the Trojan, the code remains in the infected file, enabling the Trojan to download updates of itself and re-infect the machine. Symantec virus definitions detect infected files as Trojan.Zbot!inf and repair them.
This is not the first time that we have seen this infection method. Trojan.Downexec used the same method to infect files. Regardless, it is obvious that Trojan.Zbot has not finished evolving and users need to stay vigilant against infection from this Trojan.