Threat Description



Aliases: Zeus, Citadel, Ice IX, Trojan.zbot.[variant], Trojan-spy.win32.zbot.[variant], Gen:variant.zbot.[variant], Trojan-Spy:w32/zbot.[variant]
Category: Malware
Type: Trojan-Spy
Platform: W32


Trojan:W32/Zbot is a large family of malware that steals information from an infected system.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

The primary payload of Trojan:W32/Zbot variants focuses on stealing online banking information. They also have limited backdoor and proxy capabilities.

Zbot is also known as Zeus or Wsnpoem. This malware is discussed in our Labs Weblog:

A variant of the Zbot trojan is known as Citadel, and is based on source code that was leaked out on the Internet 2011. More information about this variant, and other variants based on the leaked Zeus source code, is available in the following Threat Reports:


The Zbot trojan creates a %windir%\system32\wsnpoem folder in which it places two files, video.dll and audio.dll. These files are used to store information stolen from the infected system, as well as an encrypted configuration file which the trojan downloads from a predefined location. The wsnpoem folder and its content are usually hidden using stealth techniques.

The Zbot trojan also copies itself to %windir%\system32\ntos.exe (or in some variants, ...\oembios.exe). A random amount of junk data is appended to the copy in an attempt to make its detection more difficult.

During installation, the Zbot trojan will check the running programs for firewall related processes such as outpost.exe or zlclient.exe. If either of these processes are running, the trojan only copies itself to the system32 folder, then exits. If it is safe to proceed, it will amend the registry keys to enable the malware to execute at every startup, which will also cause it to inject itself into other processes.

Data Harvesting

The Zbot-trojan starts its main information-stealing function by opening a connection to a remote server and downloading an encrypted configuration file. This file contains the address where the trojan will later upload the information it has stolen; an address where it can download a new version of itself; and the address of another configuration file. This file also defines what websites the trojan will target for information theft.

Once the configuration file is downloaded, any confidential banking data the victim types in is compromised. If the victim enters account information on an online banking site, the trojan intercepts the data in the webform and uploads it to the server defined in the trojan's configuration file. To gather more information, the malware author can even create additional fields, which are then injected into a targeted webpage for the unsuspecting victim to fill in.

Zbot-trojans are also capable of presenting the victim with a fake version of a webpage. Victims trying to browse specific webpages will be presented with a modified copy of the website from a server controlled by the attacker, rather than the correct webpage from the legitimate server. Again, any information entered is captured by the attacker.

Keylogging, stealing data from the clipboard and taking screenshots of the desktop are also in Zbot arsenal. Zbot trojans steal the content of the Windows Protected Storage, as well as certificates stored on the infected system. Username and password information for POP3 and FTP protocols are also stolen.


Zbot trojans have limited backdoor functionality, which mainly involve executing a file already on the system or downloading a new version of itself.

A Zbot-trojan can also act as a proxy-server. Other miscellaneous functionality includes the ability to modify the content of %windir%\system32\drivers\hosts, and to redirect or block access to websites.

Description Created: 2008-09-05 16:34:25.0

Description Last Modified: 2015-01-16 10:30:01.0


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More