Mal/Zbot-LA

Category: Viruses and Spyware Protection available since:07 Apr 2013 01:49:23 (GMT)
Type: Malicious behavior Last Updated:07 Apr 2013 01:49:23 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Zbot-LA include:

Example 1

File Information

Size
1.1M
SHA-1
0c70c90dd6ffdd3eb896d440bb86fc5f10fc3081
MD5
4df076c7fa94b4d42741d1ee8cfed6e4
CRC-32
b1dcac5f
File type
Windows executable
First seen
2013-04-06

Example 2

File Information

Size
1.1M
SHA-1
f930c0f16fd7f3f42de411c59bc4e3fd6b5133f7
MD5
74876374f1fb6cf9143ac7f3ec4a5b83
CRC-32
356b9f77
File type
Windows executable
First seen
2013-04-06

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Kes\konuum.sit
    Size
    477
    SHA-1
    28500a950313df6383dd99886a92e8f218e49409
    MD5
    de56f521d529943810b072b88c1d9beb
    CRC-32
    1ab76337
    File type
    Unspecified binary - probably data
    First seen
    2013-04-06
  • c:\Documents and Settings\test user\Application Data\Eglaes\pexywo.exe
    Size
    1.1M
    SHA-1
    0c70c90dd6ffdd3eb896d440bb86fc5f10fc3081
    MD5
    4df076c7fa94b4d42741d1ee8cfed6e4
    CRC-32
    b1dcac5f
    File type
    Windows executable
    First seen
    2013-04-06
  • c:\Documents and Settings\test user\Application Data\Kes\konuum.tmp
    Size
    563
    SHA-1
    79322fc7d47584e9979c1b5db20cafd969e589dd
    MD5
    f60a0ec75e8fda00837093c4f1b66353
    CRC-32
    627b8c48
    File type
    Unspecified binary - probably data
    First seen
    2013-04-06
  • c:\Documents and Settings\test user\Local Settings\Temp\QUO.pdf
    Size
    63K
    SHA-1
    1cb16384cebddf7720313b966ccf6b08a9a147f5
    MD5
    09ae267d7a672905df8e260aa3f7bdb0
    CRC-32
    3bb435a3
    File type
    Adobe Portable Document Format (PDF)
    First seen
    2013-04-06
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {9BB4AE73-CB78-BDB2-2F99-EC9EDD149165}
    "c:\Documents and Settings\test user\Application Data\Eglaes\pexywo.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Exivry
    Yvsoywa
    □A□□}□ I□□`□p□□□□□□□□@□□`]□@□□p□□P□□pi□□□□p□□□□□□□□P□□□9□□□□□□□p□□P□□P□□P8□p□□0□□□□□p□□`W□P□□p□□□□□@□□ □□□□□□%□□E□□I□□y□□□□□□□p□□□[□□7□□□□□□□□□□□9□□□□@□□p□□pC□P:□□]□P□□ 2□□,□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    76 ae 53 43 05 33 ce 01
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\eglaes\pexywo.exe
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • kongugounder.biz

download Try Sophos products for free
Download now