Got Zbot?

PWS:Win32/Zbot a.k.a Zeus/WSNPoem is a password-stealing trojan that monitors for visits to certain Web sites. It allows limited backdoor access and control and may terminate certain security-related processes.

In our collection, although we have some Win32/Zbot malware toolkit/builder samples that date back to the 1st quarter of 2008, we already received and created detections for a number of Win32/Zbot samples from earlier - as early as the last quarter of 2006 (an early SHA1 is 006227158415078de14b4fe889dfe8dedfcf4e0b).

Win32/Zbot evolves as it is circulated and maintained by a number of malicious and unrelated distributors, who use varying distribution vectors (spam run, drive-by-downloads, exploits, etc.). Which, mind you, explains why this critter has weathered more than 3 years and is still around and active. If you have been infected by this malware, well suffice it to say that you are not alone. Our telemetry shows Win32/Zbot infections reported back by a number of our services have rocketed sky high as of late.

Zbot samples distribution from 2007 to present

The geographical distribution of the above reported data also shows that almost 75 percent of Win32/Zbot infections are in the United States and United Kingdom. This suggests there may be a language bias in the social engineering approach used by the distributors of this malware.

Zbot cumulative distribution by region

Generally, each public build of Win32/Zbot produced by these "kits" can be categorized into how it copies and installs itself to the machine. And normally the malware's default installation behavior is not easy to change and so the toolkit user opts not to bother with it anyway. *MOST* if not all of them fall under one of the following variants (as discussed in our encyclopedia entry):

[Variant #1]
Dropped Files:
<system folder>ntos.exe - Win32/Zbot
<system folder>wsnpoemvideo.dll - configuration file
<system folder>wsnpoemaudio.dll - stolen data

Registry Startup:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
userinit = "<system folder>userinit.exe,<system folder>ntos.exe,"

Example SHA1: 006227158415078de14b4fe889dfe8dedfcf4e0b

[Variant #2]
Dropped Files:
<system folder>twext.exe - Win32/Zbot
<system folder>twain_32local.ds - configuration file
<system folder>twain_32user.ds - stolen data

Registry Startup:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
userinit = "<system folder>userinit.exe,<system folder>twext.exe,"

Example SHA1: 50be83e3b1b71448375411120c436c04497b1ad9

[Variant #3]
Dropped Files:
<system folder>twex.exe - Win32/Zbot
<system folder>twain32local.ds - configuration file
<system folder>twain32user.ds - stolen data

Registry Startup:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
userinit = "<system folder>userinit.exe,<system folder>twex.exe,"

Example SHA1: 290d33efedd0281021940eba1d60a2091a991d0e

[Variant #4]
Dropped Files:
<system folder>sdra64.exe - Win32/Zbot
<system folder>lowseclocal.ds - configuration file
<system folder>lowsecuser.ds - stolen data

Registry Startup:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
userinit = "<system folder>userinit.exe,<system folder>sdra64.exe,"

Example SHA1: 842f84c2c8d3be5e425787c6e9cac3d6a377e76e

Remember Win32/Zbot's main objective is to steal sensitive information, including a user's online credentials. Thus it makes sense that if you think your credentials have been compromised you should immediately change those on a clean and trusted system.

Microsoft offers the following services to keep you protected against current threats while using your computer:

Our online scanner, Microsoft Security Essentials and Microsoft Forefront Security

Good luck and stay safe!

--Jireh Sanico


While the best way to detect and clean a Win32/Zbot infection is to use an up-to-date antivirus scanner like we mentioned above, if you unable to do so, or if you suspect that you have a new or undetected Zbot infection, then you could use the following instructions. These instructions help you to determine if you are infected by Zbot and to disable the malware before submitting a sample of the suspect file for our analysis. Please note that manually modifying the registry is generally not recommended, and we urge you to use caution if you choose to do so.

One can do a quick check for the existence of this malware manually using Windows command prompt:

(The configuration and data files tucked in their respective folders are hidden in Windows Explorer but can be seen using the DIR command.)


A clean system by default should not have any unique ID made by the malware, so if you run the following:

REG QUERY "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionNetwork" /v UID
-- or --
REG QUERY "HKCUSOFTWAREMicrosoftWindows NTCurrentVersionNetwork" /v UID

an infected machine would return the following data in the following format:

<computer name>_<string id> (for example, COMP1_00038EB9)


The userinit startup key specifies what program should be launched right after a user logs on to Windows. Win32/Zbot adds its path into the data value and protects that value from being changed while it is active. Running the following query returns the Zbot program (in the below screenshot, it is "sdra64.exe"):

REG QUERY "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v userinit


Win32/Zbot injects code into running processes so a system reboot is the easiest way to take it out of memory, but first we need to disable and prevent it from loading during startup like so (proceed with caution):

REG ADD "HKLMSYSTEMCurrentControlSetControlSession Manager" /v PendingFileRenameOperations /t REG_MULTI_SZ /d ??c:windowssystem32sdra64.exe??c:windowssystem32sdra64.ex_


The above command renames the malicious file c:windowssystem32sdra64.exe to c:windowssystem32sdra64.ex_ when the system is restarted so there is now a chance to throw the malware our way. Note that if the malicious file is not "sdra64.exe", you'll have to substitute the Zbot file name in your computer.

Comments (0)

Skip to main content