W32/Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. W32/Zbot is created using a Trojan-building toolkit. The Trojan itself is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized. The user may receive an email message purporting to be from organizations such as the FDIC, IRS, MySpace, Facebook, or Microsoft. The message body warns the user of a problem with their financial information, online account, or software and suggests they visit a link provided in the email. The computer is compromised if the user visits the link, if it is not protected.

W32/Zbot is very difficult to detect even with up-to-date antivirus and other security softwares as it hides itself using stealth techniques. Security experts are advising that businesses continue to offer training to users to teach them to not to click on hostile or suspicious links in emails or Web sites, and to keep antivirus protection up to date. They can monitor online banking activities by hooking API addresses and injecting code into webpages. W32/Zbot  lets a malicious hacker gain access and control your PC, to varying degrees. Its level of control depends on the information in the configuration data in each particular variant.


Confidential information is gathered through multiple methods. Upon execution W32/Zbot automatically gathers any Internet Explorer, FTP, or POP3 passwords that are contained within Protected Storage. However, its most effective method for gathering information is by monitoring Web sites included in the configuration file, sometimes intercepting the legitimate Web pages and inserting extra fields (e.g. adding a date of birth field to a banking Web page that originally only requested a user name and password).

Infection Symptons of W32/Zbot
  • W32/Zbot will degrade the computer performance significantly and crash down the system randomly.
  • Allows remote access to compromise your computer by changing your PC system settings, registry settings and files to capture and steal your personal privacy data without any permission.
  • May come with additional spyware or other privacy-invasive trojans
  • Blocks the network connection and it pretends to show you that the browsers get hijacked.
  • Connects to a command and conrol server to download additional instructions and malware