- Security Center
- English ▾
Size: 20480 bytes
Trojan.Win32.Zbot.dkek is a malicious program that is a Windows dynamic library and is a component of another malicious program. The library can be used to inject the code of another malicious library to the web browser process address space as well as create autorun registry keys.
Once the library malicious code is launched in the target process address space, the library body is copied to the current user's Windows temporary folder with a randomly generated name:
where <rnd> is a random two-digit hexadecimal number.
2 bytes are then modified in that copy:
The code of the created copy of the dynamic library (DLL) is launched for execution.
Once launched, the code of the malicious library performs the following actions:
- creates a unique identifier with the following name to control the uniqueness of its process in the system:
- starts a separate thread, and then in an infinite loop with 3 second interval injects the library code
to the address space of the following web browsers Internet Explorer, Mozilla Firefox and Google Chrome:
- possesses features to create the autorun registry key in the branches:
Names and values of the registry keys are read from the malware data segment.
- Using Task Manager (How to End a Process with the Task Manager) terminate the following processes:
- Delete files:
- Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
- Delete the registry keys created by the Trojan in the following branches (How to Work with System Registry):
- Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).