New alert, is this detected by avast...Trojan Zbot inside zip file

[Michael (alan1998)]

Whoop. It is quite easy to delete. Kill the Proccess in Task Manager, C:\Users\X\Roaming\IG(xxx).

Delete that and then run a scan with MBAM.

[Michael (alan1998)]

Steven. Suggestion. Use Windows 7 VM. Not Windows 8.1. I hate Windows 8

[Secondmineboy]

I will use a Win7 VM. I am running Windows 8.1 at the moment, i had to reset the laptop to factory settings cause it was
crashing several times a day. I think svchost.exe was corrupted or damaged.

Maybe i will go over to Linux if Windows will stay that bad, many people switched to Linux due to Win8.
Most stayed at Windows 7. When Windows is staying at this stage and Windows 7 is outdated i think many will go over to a Mac
or Linux.

[Secondmineboy]

Anubis analysis: http://anubis.iseclab.org/?action=result&task_id=1bc233e85a60405a481148b466e1cc86f&format=html

Threat Expert: http://www.threatexpert.com/report.aspx?md5=d711b3d9ca4beacb468269c5654cc515

[Michael (alan1998)]

Some more info. It modifies the registry to run on boot-up.

HKEY_CURRENT_USER --> Software --> Microsoft --> Windows --> Current Version --> Run

The file is randomly named according to the C:\Users\X\Roaming\[filename]

I'll attach a picture with the virus folder name.

Please Note: The virus folders and executables files are randomly named each time and are not consistant!!

Additionally: Once the file has been run, it caps your CPU to max levels then drops. In order to delete the Roaming folder you need kill the proccess in Task Manager. Note again it will be randomly named and signed by Kemliz (Close, will modify that when I get home) MBAM works against this variant of Zbot.

[Secondmineboy]

Still not detected by Bitdefender: https://www.virustotal.com/de/file/e65315616ee6ac28ec9e8f0f43ddb0f189a81b515369a72fc8a6b69db280d829/analysis/1382370536/

[Michael (alan1998)]

Youch! I'll edit this post with the folders and the signed name and all that. Uno momento!

[Secondmineboy]

Now i have a Win 7 Home Premium 32 Bit VM.

Just set it up.

[Secondmineboy]

After running the file there is a Trojan sitting in AppData Roaming.

[Michael (alan1998)]

The file is randomly named according to the C:\Users\X\Roaming\[filename]

After running the file there is a Trojan sitting in AppData Roaming.

Also, opsted pics in my last post....

[Secondmineboy]

For me the file tried to access Windows Mail, which was not working.

I am running this inside VMWarePlayer cause Virtualbox is not working for me at the moment, i cannot drag and drop files.
Even when its activated in the settings.

I also have Ubuntu and Linux Mint as VM.

[essexboy]

Have you sent a copy to Avast ?

[Michael (alan1998)]

Windows Mail? Was probably trying to mass email itself.... Hmm. it tried to connect to my network. Blocked by Windows Firewall.

[Michael (alan1998)]

Have you sent a copy to Avast ?

Avast! Detects the file and the site. No need to. We are messing with it at this point....

[essexboy]

Have fun

Could you run an OTL scan when it is installed so that I can have a look see