Saturday, April 13, 2013
Zbot family Trojans infects selected systems only
The AVG's specialists have analyzed one sample of the Zbot family Trojans. The experts found that the malware uses the CLSID as security checks in order to prevent themselves analyze.
Researchers have been able to run the sample Zbot family on a real computer and find out that, before starting out, malware downloads data twice, and then decrypts it and compares certain bytes with other data obtained from the local machine.
After the analysis, the experts found that the selected sample of Zbot infects the system with ID CLSID, which is similar to the ID of malware.
If the CLSID match, the malware begins its work. Currently do not know exactly how the trojan gets the CLSID of the target system. This may be during the first initialization of malware and its subsequent modifications, or during an infected machine with the command server.