Microsoft today announced that they have added the Win32/Zemot family to the Malicious Software Removal Tool. The Win32/Zemot family of trojan downloaders are used by malware such as Win32/Rovnix, Win32/Viknok, and Win32/Tesch with a number of different payloads. Zemot is usually distributed through the spambot malware Win32/Kuluoz and through the exploit kits Magnitude EK and Nuclear EK. You can see the infection chain above.
We started seeing activity from TrojanDownloader:Win32/Upatre.B in late 2013 and identified this threat as the main distributor of the click fraud malware PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF. We renamed the downloader to Zemot in May 2014.
By taking into account both the machine and the file count telemetry, we can see that a single copy of Zemot is often mass distributed to the payload URLs (the download URLs for Win32/Kuluoz and the payload URL for the exploit kits).
Some other notable characteristics of the Zemot family include:
- They use several techniques to make sure the downloaded module will be successful on all Windows platforms.
- Each successful download is saved with a unique file name to allow for multiple infections.
- Major variants vary in their static configuration format and download file name format (for example: java_update_<random>.exe, updateflashplayer_<random>.exe).
- Modules such as getting the OS version, user privilege, URL parsing and the downloading routine are taken from the Zbot source code.
- Variants can be bundled with other malware (one trojan downloader can distribute multiple malware payloads).
Read more from the link below.