Troj/Zbot-F

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	April 2008 (4.28)
Protection available since	21 February 2008 01:59:24 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Your options

If you've received an alert, then you have 2 options:

authorize the file
send the file to the lab for analysis

Authorize the file if it's from a trusted source.

Send it to the lab for analysis if:

you trust the file, but it generates alerts.
you don't trust the file

To reduce the chance of unwanted detections, Sophos HIPS should be set to 'Alert only' mode for the duration of any software installations.

Sending a file to the lab?

When you complete the sample submission form, please give a reason for your submission and mention this "HIPS/" detection.

More Information

Summary
Action
More Information

Troj/Zbot-F is a Trojan for the Windows platform.

When first run Troj/Zbot-F copies itself to:

<System>\ntos.exe but with varying amounts of appended data.

Troj/Zbot-F modifies the following registry entry to start itself:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\ntos.exe,

Troj/Zbot-F also attempts to download files to:

<System>\wsnpoem\

Get reports about the latest virus and spyware threats delivered to your computer