Virus PWS-Zbot.gen.gi!E69284FFC72E
Posted on June 20th, 2011 by admin
Other Company Detection Aliases
| Company Names | Detection Names |
|---|---|
| AVG (GriSoft) | Generic23.CWM |
| avira | TR/FakeSysdef.A.1499 |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| BitDefender | Gen:Variant.Kazy.26475 |
| FortiNet | W32/Krap.AON!tr |
| Symantec | Trojan.Fakeav |
| Eset | Win32/Kryptik.OYP |
| Sophos | Mal/FakeAV-IK |
Attempts to connect to a high risk domain that may pose a security risk. It also creates one or more shortcuts .LNK files to provide user accessible links to start a program usually form the desktop or start menu.
| The following registry elements have been changed: |
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\USE FORMSUGGEST = Yes
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CERTIFICATEREVOCATION = 0
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WARNONBADCERTRECVING = 0
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WARNONZONECROSSING = 0
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3\1601 = 0
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\STATE = 146944
| The applications attempted the following network connection(s): |
- 188.229.88.***:80
- 46.161.11.***:80
- hxxp://searcham.org/*****
To remove this virus,
1.Disable System Restore Windows ME XP only.
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and INI files for the purposes of hooking system startup, will be removed if cleaning with the recommended engine and DAT combination or higher.