Mal/Zbot-LE

Category: Viruses and Spyware Protection available since:18 Apr 2013 01:45:07 (GMT)
Type: Malicious behavior Last Updated:18 Apr 2013 01:45:07 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Zbot-LE include:

Example 1

File Information

File type
application/x-ms-dos-executable

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\SharedReg.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\dclogs\2013-04-16-3.dc
  • c:\Documents and Settings\test user\Templates\bootres.exe
    Size
    7.5K
    SHA-1
    a85388fc3bc465b67e3a5b0c1f2621954b5c62f8
    MD5
    2e74010faa0b3cc0ff1dcff309da03b3
    CRC-32
    78bf89d8
    File type
    Windows executable
    First seen
    2013-04-07
Processes Created
  • c:\Documents and Settings\test user\templates\bootres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
DNS Requests
  • tycoo2012.no-ip.org

Example 2

File Information

File type
application/x-ms-dos-executable

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\SharedReg.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\B0MLJ84LIM.exe
  • c:\Documents and Settings\test user\Application Data\logs
  • c:\Documents and Settings\test user\Templates\bootres.exe
    Size
    7.5K
    SHA-1
    a85388fc3bc465b67e3a5b0c1f2621954b5c62f8
    MD5
    2e74010faa0b3cc0ff1dcff309da03b3
    CRC-32
    78bf89d8
    File type
    Windows executable
    First seen
    2013-04-07
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\Documents and Settings\test user\Application Data\B0MLJ84LIM.exe
    c:\Documents and Settings\test user\Application Data\B0MLJ84LIM.exe:*:Enabled:Windows Messanger
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    QAMRGRIGII
    April 16, 2013
  • HKCU\Software\VB and VBA Program Settings\SrvID\ID
    QAMRGRIGII
    juctuck's Bot
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\templates\bootres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • 1singingserver1.zapto.org
  • 2singingserver1.zapto.org
  • 3singingserver1.zapto.org
  • 4singingserver1.zapto.org
  • 5singingserver1.zapto.org
  • 6singingserver1.zapto.org
  • 7singingserver1.zapto.org
  • singingserver1.zapto.org

Example 3

File Information

Size
559K
SHA-1
42fe82fd5353ca0a1ad451f474a20391fa852497
MD5
ccb759ce6105f7d8674547a62f0a914b
CRC-32
b5d3bdc3
File type
Windows executable
First seen
2013-04-13

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\logs
    Size
    32
    SHA-1
    76296e842341af2b091ed821e0edec5829f5dc9b
    MD5
    64154740916c7d23f0c7ef91d53a68f0
    CRC-32
    60cccd0a
    File type
    Data Log File (generic)
    First seen
    2013-04-14
  • c:\Documents and Settings\test user\Application Data\B0MLJ84LIM.exe
Registry Keys Created
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    QAMRGRIGII
    April 14, 2013
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Windows Messanger
  • HKCU\Software\VB and VBA Program Settings\SrvID\ID
    QAMRGRIGII
    juctuck's Bot
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • 1singingserver1.zapto.org
  • 2singingserver1.zapto.org
  • 3singingserver1.zapto.org
  • singingserver1.zapto.org

download Try Sophos products for free
Download now