Mal/Zbot-O

Category: Viruses and Spyware Protection available since:11 May 2009 13:27:24 (GMT)
Type: Malicious behavior Last Updated:11 May 2009 13:27:24 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Zbot-O include:

Example 1

File Information

Size
78K
SHA-1
074e4bebe7a52bf4c98739839fc6ff6eda7678cf
MD5
0484cdb6a8f48fc321a379d4d56ddbf2
CRC-32
f967af1b
File type
application/x-ms-dos-executable
First seen
2010-09-15

Other vendor detection

Avira
TR/Crypt.ZPACK.Gen
Kaspersky
Trojan-Spy.Win32.Zbot.gen

Runtime Analysis

Dropped Files
  • C:\WINDOWS\system32\sdra64.exe
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
Registry Keys Created
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_0002552B
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    {33373039-3132-3864-6B30-303233343434}
    47 09 f2 0d
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 d0 55 ac 4a d0 54 cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 d0 55 ac 4a d0 54 cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_00024F00
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_00025B64
Registry Keys Modified
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    AppData
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP Requests
  • http://zeushosted.selfip.biz/zs/web/builder/cfg.bin
DNS Requests
  • zeushosted.selfip.biz

Example 2

File Information

Size
63K
SHA-1
0a4e73e75f2fac8831d01feb3c09b86f19e54131
MD5
a36b8cb3046e6aba08942461a070d465
CRC-32
bd3061d6
File type
application/x-ms-dos-executable
First seen
2011-02-06

Other vendor detection

Avira
TR/Crypt.ZPACK.Gen
Kaspersky
Trojan-Spy.Win32.Zbot.gen

Runtime Analysis

Dropped Files
  • C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234527\desktop.ini
  • C:\WINDOWS\system32\sdra64.exe
    Size
    215K
    SHA-1
    8d23ed4788948f30fc6625a2cb6fe87a364ad86e
    MD5
    1f1487bc8491d863d72f6f18ee62d536
    CRC-32
    ea07502d
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-06
  • C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
  • C:\WINDOWS\Temp\History\History.IE5\desktop.ini
  • C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SLIN01QB\desktop.ini
  • C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8LU7092J\desktop.ini
  • C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K9MRWPAB\desktop.ini
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
Registry Keys Created
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_0002B387
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 a0 f4 10 6e 1c c6 cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_0002AFAE
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    {3039636B-5F3D-6C64-6675-696870667265}
    f7 09 f2 0d
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    {33373039-3132-3864-6B30-303233343434}
    47 09 f2 0d
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_0002A936
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 a0 f4 10 6e 1c c6 cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Cache
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Cache
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Cache
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HTTP Requests
  • http://greenlakemnid.com/cfg2.bin
DNS Requests
  • greenlakemnid.com

Example 3

File Information

Size
82K
SHA-1
0f9ca32c3cbaf4a936ec99ac3e9c8cd5d68faefb
MD5
09073e61efc7d333ed8054e437e88426
CRC-32
a88a937d
File type
application/x-ms-dos-executable
First seen
2010-12-31

Other vendor detection

Avira
TR/Crypt.ZPACK.Gen
Kaspersky
Trojan-Spy.Win32.Zbot.gen

Runtime Analysis

Dropped Files
  • C:\WINDOWS\system32\sdra64.exe
    Size
    388K
    SHA-1
    1cf5b597db02d96a0fccbb820e2dcbdbbf37cce9
    MD5
    ef06f06b7bdf706e08e9d0d51d83f361
    CRC-32
    ca4cf777
    File type
    application/x-ms-dos-executable
    First seen
    2011-01-04
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
Registry Keys Created
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_000245B9
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_000242FA
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_0002477F
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c4 99 71 43 ac cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c4 99 71 43 ac cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    {33373039-3132-3864-6B30-303233343434}
    47 09 f2 0d
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    AppData
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Cache
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HTTP Requests
  • http://mourouj-team.cz.cc/cart.php/php/cfg.bin
DNS Requests
  • mourouj-team.cz.cc

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy