W32/Zbot.BTPZ!tr
Analysis
W32/Zbot.BTPZ!tr is a generic detection for a type of trojan that injects code into other processes. Since this is a generic detection, files that are detected as W32/Zbot.BTPZ!tr may have varying behavior.
Below are examples of some of these behavior:
- The following files are created:
- undefinedAppDataundefined\typyyw\abexo.exe : This is a modfied copy of the original malware. This file name is randomly generated.
- It creates the following autorun registry entry:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\abexo
- Abexo = "undefinedAppDataundefined\typyyw\abexo.exe"
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\abexo
- It injects code into a process, usually explorer.exe.
- The malware then runs its dropped copy.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |