A Zbot Trojan variant that has the ability to infect other files has been discovered recently.
It searches for .exe files in predefined places and injects into them 512 bytes of code, altering also the program’s entry point – putting it at the top of this malicious entry:
The code has three tasks to perform. It must download a file form the URL found in the embedded code and execute it, then execute the original code.
Symantec reports that the purpose of this new feature is to evade detection by the current anti-malware solutions. The main component of the Trojan will likely be spotted, but the infected file will not. The injected code then starts the aforementioned routine and re-infects the machine.
Although this isn’t the first Trojan to have this feature (Trojan.Downexec comes to mind), it is good to know that Zbot now has this ability. Users should be careful – if their security solutions detect Zbot, it is advisable to scan the computer again. If it detects Zbot again, it is likely that they have this variant installed.