Microsoft today announced that they have added the Win32/Zemot family to the Malicious Software Removal Tool. The Win32/Zemot family of trojan downloaders are used by malware such as Win32/Rovnix, Win32/Viknok, and Win32/Tesch with a number of different payloads. Zemot is usually distributed through the spambot malware Win32/Kuluoz and through the exploit kits Magnitude EK and Nuclear EK. You can see the infection chain above. We started seeing activity from TrojanDownloader:Win32/Upatre.B in late 2013 and identified this threat as the main distributor of the click fraud malware PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF. We renamed the downloader to Zemot in May 2014. By taking into account both the machine and the file count telemetry, we can see that a single copy of Zemot is often mass distributed to the payload URLs (the download URLs for Win32/Kuluoz and the payload URL for the exploit kits). Some other notable characteristics of the Zemot family include: They use several techniques to make sure the downloaded module will be successful on all Windows platforms. Each successful download is...

The rest of the story...
Microsoft News