Troj/Zbot-GSK

Kategorie: Viren und Spyware Schutz verfügbar seit:24 Okt 2013 20:48:05 (GMT)
Typ: Trojan Zuletzt aktualisiert:25 Okt 2013 15:19:40 (GMT)
Verbreitung:

Download Kostenloses Virus Removal Tool downloaden – Finden Sie Bedrohungen, die Ihre Virenschutzsoftware übersehen hat

Examples of Troj/Zbot-GSK include:

Example 1

File Information

Size
291K
SHA-1
0e1a61850fa6a7f77227f0f04a886a64a8e75da8
MD5
904bc9104c87910e0d752b52660d07d6
CRC-32
95290031
File type
Windows executable
First seen
2011-06-27

Example 2

File Information

Size
188K
SHA-1
455d0868417efe6edc364a16beb4fa7135143d09
MD5
de5aa235cb1068b777863d759f21c446
CRC-32
b54de490
File type
Windows executable
First seen
2013-10-24

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\131000.exe
    Size
    228K
    SHA-1
    79b95f31c0b0f9cb639fd922f30d7d1d1e99bb6c
    MD5
    ab49f9dc45e2c3acfbdcd9d0f75f6fad
    CRC-32
    16ac131c
    File type
    Windows executable
    First seen
    2013-10-24
  • c:\Documents and Settings\test user\Application Data\Gaboyn\vauz.exe
    Size
    342K
    SHA-1
    a9eaa32fc50ad65ae58b5e4532bbb41cdb7b2782
    MD5
    62cc1a15fe4205e3d401715e34bbb2b3
    CRC-32
    e3a06e40
    File type
    Windows executable
    First seen
    2013-10-24
  • c:\Documents and Settings\test user\Application Data\Ovcyro\uhigud.exe
    Size
    342K
    SHA-1
    10492a5bf5723ec1d838b62517c9e5c45e06007f
    MD5
    917194adf29571d35da2fa6bc9206a9d
    CRC-32
    7b69afe0
    File type
    Windows executable
    First seen
    2013-10-24
  • c:\Documents and Settings\test user\Local Settings\Application Data\zeyh.jiw
    Size
    477
    SHA-1
    ad8e065ecd3c94280b71fbfe5c35a3bc6746d72d
    MD5
    daacf922e3534f2ed888d152598086a7
    CRC-32
    445614a8
    File type
    Unspecified binary - probably data
    First seen
    2013-10-24
Registry Keys Created
  • HKCU\Software\WinRAR
    0A473625B6E86F4871285A64CA818381
    tr□Pe□
  • HKCU\Software\Microsoft\Enhisuep
    10194ai9
    □□□□□□@□□ n□□□□0j□
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Vauz
    "c:\Documents and Settings\test user\Application Data\Gaboyn\vauz.exe"
Processes Created
  • c:\Documents and Settings\test user\application data\gaboyn\vauz.exe
  • c:\Documents and Settings\test user\application data\ovcyro\uhigud.exe
  • c:\docume~1\support\locals~1\temp\137625.exe
  • c:\docume~1\support\locals~1\temp\139343.exe
  • c:\docume~1\support\locals~1\temp\142468.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://berkahabadi.de/raitGB1.exe
  • http://clips.prack.net/wonQ.exe
  • http://networksecurityx.hopto.org/
  • http://s466866240.onlinehome.us/Vab.exe
  • http://www.fueramoos.de/DsVb.exe
IP Connections
  • 75.141.239.159:2199
  • 76.64.181.164:6033
  • 84.59.129.23:7605
  • 85.34.231.122:6106
  • 95.208.250.205:3458
DNS Requests
  • berkahabadi.de
  • clips.prack.net
  • networksecurityx.hopto.org
  • s466866240.onlinehome.us
  • thewinewars.com
  • www.fueramoos.de

Example 3

File Information

Size
137K
SHA-1
4f104125950c033a839b906fefececb2572bcac9
MD5
71d6667a30181da2e99885374f7683c9
CRC-32
6ceff2b6
File type
Windows executable
First seen
2013-10-24

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\xrsrpa2js1n2dhyitcpiqzbzkpziiqij2\svcnost.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\ntuser.dat
  • C:\WINDOWS\system32\drivers\etc\hosts
Modified Files
  • %SYSTEM%\drivers\etc\hosts
    • Changed the file contents
  • %PROFILE%\Application Data\desktop.ini
    • Changed the file contents
    • Set the system and archive flags
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\LowRegistry
    SavedLegacySettingsML
    67□08□ 7□□3□□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\Documents and Settings\test user\Application Data\xrsrpa2js1n2dhyitcpiqzbzkpziiqij2\svcnost.exe
    c:\Documents and Settings\test user\Application Data\xrsrpa2js1n2dhyitcpiqzbzkpziiqij2\svcnost.exe:*:Enabled:ldrsoft
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Windows Init
    "c:\Documents and Settings\test user\Application Data\xrsrpa2js1n2dhyitcpiqzbzkpziiqij2\svcnost.exe"
Processes Created
  • c:\Documents and Settings\test user\application data\xrsrpa2js1n2dhyitcpiqzbzkpziiqij\svcnost.exe
IP Connections
  • 217.20.115.68:80
  • 89.149.242.162:80
DNS Requests
  • qgzf.ru

Download Sophos Produkte kostenlos testen
Jetzt downloaden