Troj/Zbot-EAE

Category: Viruses and Spyware Protection available since:24 Feb 2013 16:27:50 (GMT)
Type: Trojan Last Updated:24 Feb 2013 16:27:50 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EAE include:

Example 1

File Information

Size
238K
SHA-1
8a8123431effc50df502d61d6a8d9365b465a1e5
MD5
8281289d013e30ced68255b4628f00aa
CRC-32
a2846fa4
File type
Windows executable
First seen
2013-02-23

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Gousm\itliikt.fik
    Size
    477
    SHA-1
    ff1cca51dae0e63e9c1e21703f2fb57998e49761
    MD5
    a0136a8cf3a2d54db749a3f4d24aa67a
    CRC-32
    3d40c3b8
    File type
    Unspecified binary - probably data
    First seen
    2013-02-23
  • c:\Documents and Settings\test user\Application Data\Taysyq\emenydu.exe
    Size
    238K
    SHA-1
    f3898853c69f386c1f50fe6b0eb5a81b0c71e12f
    MD5
    0ef7d3e4650ccd7187fdc0e58968939b
    CRC-32
    a74323cc
    File type
    Windows executable
    First seen
    2013-02-23
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Yhir
    Cokaufba
    □□□□h□p□□p□□□□□`x□0□□□a□P□□P□□□□□□□□□□□□8□@□□0□□p□□□G□□□□□m□□Z□□□□□□□`□□□"□0t□□□□@_□□□□□L□Py□0□□pq□□□□P□□□□□@□□□□□@e□PL□□□□ W□□7□@□□□□□`1□□□□□v□□□□□□□□F□`□□□□□□*□@□□□s□□□□□|□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {F197D56A-2BD0-BC9B-89B3-BBC3439A2437}
    "c:\Documents and Settings\test user\Application Data\Taysyq\emenydu.exe"
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
Registry Keys Modified
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    ca 72 d2 37 d2 11 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\taysyq\emenydu.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • epicstrugglecom.ru

Example 2

File Information

Size
238K
SHA-1
f3898853c69f386c1f50fe6b0eb5a81b0c71e12f
MD5
0ef7d3e4650ccd7187fdc0e58968939b
CRC-32
a74323cc
File type
Windows executable
First seen
2013-02-23

download Try Sophos products for free
Download now