Home > Threat descriptions >



Category: Malware

Type: Trojan-Spy

Aliases: Trojan-Spy:W32/Zbot.KZ, ZBot.HS


This type of trojan secretly installs spy programs and/or keylogger programs.


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Trojan-Spy:W32/ZBot.HS was discovered on February 20th 2008 and targets the online banking portal Finnish bank; the spam email messages used to distribute its executably binary file are written in Finnish. Later samples received on April 04, 2008 are now detected as Trojan-Spy:W32/Zbot.KZ. New download filename is iPIX-install.exe. Also, please contact your bank and confirm your online banking transactions if infection is confirmed.


Several Finnish language spam messages were used to direct recipients to various websites.The websites supposedly contain a images that require an iPIX plug-in.The download link for the "plug-in" in fact downloads the ZBot file.

A sample message is below:

The message warns of a radioactive cloud spreading from a nuclear reactor close to the Finnish city of Mikkeli. The end of the message provides a link to a supposed blog with pictures of the event and of victims.

It is an attempt at social engineering. However, as there is no nuclear power plant near Mikkeli, many recipients report that they were not tempted by the message.

This is an example of the website:

An icon for a needed plug-in is displayed rather than images when viewing the site.

The message below the image area contains the link from which the malware is downloaded:

There are several versions of bait used by the spam messages.

One message claims to be from a woman seeking love. The message directs to a Web site such as this:

The website designs have been used in the past. There are previous examples of German language versions targeting individuals in Switzerland.

ZBot variants use modular components (configuration and commands) downloaded from the Internet after installation. The components are encrypted, probably to hinder analysis of the code.


Upon execution the trojan copies itself to the following location:

  • %windir%\system32\ntos.exe

Note: %windir% represents the system's default Windows directory. The folder name may vary by language localization.

It then creates the following folder under the Windows system directory:

  • wsnpoem

ZBot.HS attempts to hide this folder using stealth techniques.

It creates the following files in the newly created folder:

  • audio.dll
  • video.dll

These files are written with encrypted data.

The trojan modifies the following registry entry to enable its automatic execution upon Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Userinit" = "%windir%\system32\userinit.exe,%windir%\system32\ntos.exe"

The trojan deletes cookies in the Internet Explorer URL cache.

It then injects malicious code into several active processes, particularly winlogon.exe and iexplorer.exe.


The injected code starts listening for incoming TCP connections and downloads the following data file from a remote server:

  • file.bin

The remote server URL contains a top-level domain of ".ru". The server is hosted in Turkey as of February 21, 2008.

Logging online banking information is the primary payload of Trojan-Spy:W32/Zbot variants.

ZBot searches the following string by default:

  • https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

Other targets are added through the file.bin configuration.The file.bin of ZBot.HS targets a Finnish bank.

Browser activity is monitored for multiple ".fi" URL addresses. Finnish, Swedish, and English language versions are monitored.

If online banking activity is detected ZBot.HS will beginning logging information. ZBot.HS does not inject its own banking transactions.

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe

Description Created: 2008-02-20 14:35:45.0

Description Last Modified: 2010-06-10 08:43:08.0