Threat Description

Trojan-Spy: W32/ZBot.HS


Category: Malware
Type: Trojan-Spy
Platform: W32
Aliases: Trojan-Spy:W32/Zbot.KZ, ZBot.HS


This type of trojan secretly installs spy programs and/or keylogger programs.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Trojan-Spy:W32/ZBot.HS was discovered on February 20th 2008 and targets the online banking portal Finnish bank; the spam e-mail messages used to distribute its executably binary file are written in Finnish. Later samples received on April 04, 2008 are now detected as Trojan-Spy:W32/Zbot.KZ. New download filename is iPIX-install.exe. Also, please contact your bank and confirm your online banking transactions if infection is confirmed.


Several Finnish language spam messages were used to direct recipients to various websites.The websites supposedly contain a images that require an iPIX plug-in.The download link for the "plug-in" in fact downloads the ZBot file.

A sample message is below:

The message warns of a radioactive cloud spreading from a nuclear reactor close to the Finnish city of Mikkeli. The end of the message provides a link to a supposed blog with pictures of the event and of victims.

It is an attempt at social engineering. However, as there is no nuclear power plant near Mikkeli, many recipients report that they were not tempted by the message.

This is an example of the website:

An icon for a needed plug-in is displayed rather than images when viewing the site.

The message below the image area contains the link from which the malware is downloaded:

There are several versions of bait used by the spam messages.

One message claims to be from a woman seeking love. The message directs to a Web site such as this:

The website designs have been used in the past. There are previous examples of German language versions targeting individuals in Switzerland.

ZBot variants use modular components (configuration and commands) downloaded from the Internet after installation. The components are encrypted, probably to hinder analysis of the code.


Upon execution the trojan copies itself to the following location:

  • %windir%\system32\ntos.exe

Note: %windir% represents the system's default Windows directory. The folder name may vary by language localization.

It then creates the following folder under the Windows system directory:

  • wsnpoem

ZBot.HS attempts to hide this folder using stealth techniques.

It creates the following files in the newly created folder:

  • audio.dll
  • video.dll

These files are written with encrypted data.

The trojan modifies the following registry entry to enable its automatic execution upon Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Userinit" = "%windir%\system32\userinit.exe,%windir%\system32\ntos.exe"

The trojan deletes cookies in the Internet Explorer URL cache.

It then injects malicious code into several active processes, particularly winlogon.exe and iexplorer.exe.


The injected code starts listening for incoming TCP connections and downloads the following data file from a remote server:

  • file.bin

The remote server URL contains a top-level domain of ".ru". The server is hosted in Turkey as of February 21, 2008.

Logging online banking information is the primary payload of Trojan-Spy:W32/Zbot variants.

ZBot searches the following string by default:


Other targets are added through the file.bin configuration.The file.bin of ZBot.HS targets a Finnish bank.

Browser activity is monitored for multiple ".fi" URL addresses. Finnish, Swedish, and English language versions are monitored.

If online banking activity is detected ZBot.HS will beginning logging information. ZBot.HS does not inject its own banking transactions.

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe

Description Created: 2008-02-20 14:35:45.0

Description Last Modified: 2010-06-10 08:43:08.0


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More