Categories: Spy

Win32/Spy.Zbot.ACM (file analysis)

The Win32/Spy.Zbot.ACM is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32/Spy.Zbot.ACM virus can do?

  • Executable code extraction
  • Injection (inter-process)
  • Compression (or decompression)
  • Injection with CreateRemoteThread in a remote process
  • Creates RWX memory
  • Mimics the system’s user agent string for its own requests
  • Repeatedly searches for a not-found browser, may want to run with startbrowser=1 option
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • Reads data out of its own binary image
  • Drops a binary and executes it
  • The binary likely contains encrypted or compressed data.
  • Uses Windows utilities for basic functionality
  • Detects Sandboxie through the presence of a library
  • Detects the presence of Wine emulator via function name
  • Deletes its original binary from disk
  • Tries to unhook or modify Windows functions monitored by Cuckoo
  • Installs itself for autorun at Windows startup
  • Attempts to identify installed analysis tools by a known file location
  • Checks for the presence of known devices from debuggers and forensic tools
  • Detects the presence of Wine emulator via registry key
  • Detects Sandboxie using a known mutex
  • Checks the version of Bios, possibly for anti-virtualization
  • Detects VirtualBox through the presence of a device
  • Detects VirtualBox through the presence of a registry key
  • Detects VMware through the presence of a device
  • Detects VMware through the presence of a registry key
  • Detects Virtual PC using a known mutex
  • Attempts to modify proxy settings
  • Creates a copy of itself
  • Checks for a known DeepFreeze Frozen State Mutex
  • Collects information to fingerprint the system

Related domains:

godz.bit
z.whorecord.xyz
a.tomx.xyz
ponchik-coca.com
cheshka2017.com

How to determine Win32/Spy.Zbot.ACM?



File Info:

crc32: 25ACB03Cmd5: 80abe731a3d980bce795e526df95a131name: 80ABE731A3D980BCE795E526DF95A131.mlwsha1: 4f51a98e691f77728bd726c926060057f8dda421sha256: 97102e7096d86fe947996698830b9817ca6f26f032dab151681bda8708d07457sha512: 5acf4d8b4883821160c3c6c1d9adcf6ac61cae11d6005d5e684dafbdc44b1f3613a9b907336649a8d163b63ec239bb9e569a5bd53a1d089687e52b8202540dcassdeep: 6144:IKq+fdH1fGZUV228+TU7bPHLmeGWMWeYX:IP+f5lyUVr8X7b/aeGWxtype: PE32 executable (GUI) Intel 80386, for MS Windows

Version Info:

0: [No Data]

Win32/Spy.Zbot.ACM also known as:

Bkav W32.AIDetect.malware1
K7AntiVirus Spyware ( 004dc4921 )
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Panda.11620
Cynet Malicious (score: 100)
Cylance Unsafe
Zillya Trojan.Yakes.Win32.62047
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (D)
Alibaba TrojanSpy:Win32/Yakes.6e67aa44
K7GW Spyware ( 004dc4921 )
Cybereason malicious.e691f7
Symantec Trojan Horse
ESET-NOD32 Win32/Spy.Zbot.ACM
APEX Malicious
Avast Win32:Trojan-gen
Kaspersky Trojan.Win32.Yakes.shnp
NANO-Antivirus Trojan.Win32.Yakes.ekujqh
Tencent Malware.Win32.Gencirc.1149bd65
Comodo Malware@#1f2a3qmd2xbku
BitDefenderTheta Gen:NN.ZexaF.34686.uuW@ae6HCJci
VIPRE Trojan.Win32.Generic!BT
TrendMicro Ransom_HPLOCKY.SME1
McAfee-GW-Edition BehavesLike.Win32.Dropper.fc
FireEye Generic.mg.80abe731a3d980bc
SentinelOne Static AI – Suspicious PE
Jiangmin Trojan.Yakes.uef
Webroot Trojan.Dropper.Gen
Avira HEUR/AGEN.1127217
eGambit Unsafe.AI_Score_99%
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Microsoft Trojan:Win32/Dynamer!ac
AegisLab Trojan.Win32.Yakes.4!c
AhnLab-V3 Trojan/Win32.Yakes.C1764890
Acronis suspicious
McAfee PWSZbot-FHN.b
MAX malware (ai score=100)
VBA32 Trojan.Yakes
Malwarebytes MachineLearning/Anomalous.100%
Panda Trj/CI.A
TrendMicro-HouseCall Ransom_HPLOCKY.SME1
Rising Spyware.Zbot!8.16B (CLOUD)
Yandex Trojan.GenAsa!8S997MV0yFE
Ikarus Trojan-Spy.Agent
Fortinet W32/Generic.AC.3C4F05!tr
AVG Win32:Trojan-gen
Paloalto generic.ml

How to remove Win32/Spy.Zbot.ACM?

  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.
Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment
Share
Published by
Paul Valéry
Tags: a.tomx.xyzcheshka2017.comgodz.bitponchik-coca.comWin32/Spy.Zbot.ACMz.whorecord.xyz
3 years ago

Recent Posts

What is “MSIL/TrojanDropper.Agent.BVT”?

The MSIL/TrojanDropper.Agent.BVT is considered dangerous by lots of security experts. When this infection is active,…

21 hours ago

Should I remove “Generic.Dacic.94CCEEA9.A.A4A6DA47”?

The Generic.Dacic.94CCEEA9.A.A4A6DA47 is considered dangerous by lots of security experts. When this infection is active,…

21 hours ago

Malware.AI.524217860 removal tips

The Malware.AI.524217860 is considered dangerous by lots of security experts. When this infection is active,…

22 hours ago

Trojan:Win32/Koutodoor.F removal tips

The Trojan:Win32/Koutodoor.F is considered dangerous by lots of security experts. When this infection is active,…

23 hours ago

How to remove “Malware.AI.1412460714”?

The Malware.AI.1412460714 is considered dangerous by lots of security experts. When this infection is active,…

23 hours ago

Generic.Dacic.8952383F.A.5EC8C34B removal instruction

The Generic.Dacic.8952383F.A.5EC8C34B is considered dangerous by lots of security experts. When this infection is active,…

23 hours ago