Zbot trojan is a information stealing Trojan which uses any pdf document and once this trojan is saved inside the computer then that’s it.Its enough for the trojan if the pdf is just opened by the user.Trojan starts executing some malicious code and also can send information to another remote server.It seems this kind of Trojan sends the information to the remote server located in China.
If any pdf is filled with this Trojan and if the user downloads this pdf then you will be prompted to save a file named “Royal_Mail_Delivery_Notice.pdf”.After saving this file original file will also be saved and if you open the pdf then this Trojan starts its execution.
The Zbot trojan creates a subdirectory under %SYSTEM32% with the name “lowsec” and drops the “local.ds” and “user.ds” files. It also drops an executable “sdra64.exe” and modifies the registry entry “%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory.