Troj/Zbot-EAJ

Category: Viruses and Spyware Protection available since:25 Feb 2013 07:31:13 (GMT)
Type: Trojan Last Updated:25 Feb 2013 07:31:13 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EAJ include:

Example 1

File Information

Size
635K
SHA-1
1ae0599d97a25dfe5971e0006a1bba9d1b8e32eb
MD5
c77102304e44464310f12b4144ab2d49
CRC-32
b83a5aaa
File type
Windows executable
First seen
2013-02-25

Example 2

File Information

Size
635K
SHA-1
34b166e652f12de63489ab11d64a9d62adc62d25
MD5
a50a1a6dea47d6fb3b940b9a9b4ca223
CRC-32
f2788259
File type
Windows executable
First seen
2013-02-25

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\nsh5.tmp\System.dll
    Size
    11K
    SHA-1
    77fe20488444ebbaafc5b2c0743251a94edc3b8e
    MD5
    a78507ea1078cadaa8b2ec1a2e1d874f
    CRC-32
    06faa35d
    File type
    Windows executable
    First seen
    2012-03-16
  • c:\Documents and Settings\test user\Local Settings\Temp\nsh5.tmp\bootstrap.ini
    Size
    139
    SHA-1
    faa96f78d9a0a16ea4dd452d4ca8e0de783436cd
    MD5
    0a6c9a01a40f9c3004f28a3cefaea6df
    CRC-32
    14bab73c
    File type
    Configuration Data File (generic)
    First seen
    2013-02-25
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\nscA.tmp.htm
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\welcome.ini
    Size
    6.9K
    SHA-1
    70bc7fa900d5181a0b919e28f6fe106f1167049a
    MD5
    3f4eba3c45a757d8fc7f326b3ed0cc4f
    CRC-32
    f4bb7ad7
    File type
    UTF-16/UCS-2 16-bit Unicode Transformation Format
    First seen
    2013-02-25
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\s3.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\eula.rtf
    Size
    70K
    SHA-1
    4c0ecf7d94505b11d1af484e92b41d46a7b6f8ce
    MD5
    d64f2efea5fbfcf56b7ec24849013e6e
    CRC-32
    c8a22dfb
    File type
    Rich Text Format (RTF)
    First seen
    2012-02-19
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\legal.ini
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\InstallOptions.dll
    Size
    15K
    SHA-1
    9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
    MD5
    89351a0a6a89519c86c5531e20dab9ea
    CRC-32
    7fb8a1b8
    File type
    Windows executable
    First seen
    2012-05-04
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\finish.ini
  • c:\Documents and Settings\test user\Application Data\Kybyvi\vukyece.exe
    Size
    635K
    SHA-1
    1ae0599d97a25dfe5971e0006a1bba9d1b8e32eb
    MD5
    c77102304e44464310f12b4144ab2d49
    CRC-32
    b83a5aaa
    File type
    Windows executable
    First seen
    2013-02-25
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\System.dll
    Size
    11K
    SHA-1
    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
    MD5
    bf712f32249029466fa86756f5546950
    CRC-32
    81ca71bf
    File type
    Windows executable
    First seen
    2012-04-10
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\modern-header.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\review.ini
  • c:\Documents and Settings\test user\Application Data\Efusu\zyefna.ubf
    Size
    477
    SHA-1
    8c6b1edf9fde0ba3b404bae689521bbd42f2a464
    MD5
    d87845f46d22ab75e4017de615098493
    CRC-32
    bd99aae5
    File type
    Unspecified binary - probably data
    First seen
    2013-02-25
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\s4.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\ymsgr11_us.ini
    Size
    1.2K
    SHA-1
    8826f2d1ddad4490c2f230789d010a4bea5bf6d0
    MD5
    d1789026792d5a4ad2c4311433502939
    CRC-32
    b28640e5
    File type
    Configuration Data File (generic)
    First seen
    2012-07-20
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\ywiseextU.dll
    Size
    172K
    SHA-1
    46606948b8e09de9279a25edcefbb2d25730cc27
    MD5
    ffd723206fe517c7f9a4aa5720a4bfda
    CRC-32
    fd698389
    File type
    Windows executable
    First seen
    2010-12-10
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\InetLoad_vms.dll
    Size
    22K
    SHA-1
    d15fef787c7e3ef00951a146cfa6556940c50c86
    MD5
    7881412aba479420672da8ef5f278701
    CRC-32
    dde281b3
    File type
    Windows executable
    First seen
    2011-07-18
  • c:\Documents and Settings\test user\Local Settings\Temp\nsh5.tmp\Base64.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\Y!.exe
    Size
    430K
    SHA-1
    28d49db2b13cedd1c26e1d42b9acb0b247276732
    MD5
    d30525a286a12a4ec47aef441c682039
    CRC-32
    884bd9c7
    File type
    Windows executable
    First seen
    2012-06-02
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\software.ini
    Size
    4.8K
    SHA-1
    9fa99bb2bb0fd5e533a990d89604f34dfe1dd75d
    MD5
    de7120c08b553de7a613732ce6dfcc96
    CRC-32
    87edbd9a
    File type
    UTF-16/UCS-2 16-bit Unicode Transformation Format
    First seen
    2012-05-17
  • c:\Documents and Settings\test user\Local Settings\Temp\nsh5.tmp\YExecShell.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\s2.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\nsoB.tmp.htm
    Size
    81
    SHA-1
    8cf9993aa079895d116bcfa6e80aefcb72791676
    MD5
    cdb78a0b9c9e34d093187deecdccefe0
    CRC-32
    d9ac0de5
    File type
    Unspecified Markup Language
    First seen
    2013-02-25
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\s1.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsh5.tmp\ymsgr_suite_setup.exe
    Size
    333K
    SHA-1
    776fd9dfa47b6094e20ad2acfa15bbc581b680a6
    MD5
    2adf941f39e72b2f3c1a0e4aa7680656
    CRC-32
    64a63304
    File type
    Windows executable
    First seen
    2012-07-20
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd7.tmp\s5.bmp
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Yahoo\SuiteInstaller
    Full
    e0EwN0YzMDYxLTY3QjUtNDU1Qi1CRTMyLUIwMERBOEVBOUE4Nn0=
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyHttp1.1
    0x00000001
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {1B5FD17D-C148-81A9-D0E7-00B327D5CAF7}
    "c:\Documents and Settings\test user\Application Data\Kybyvi\vukyece.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Woqi
    Imvoulsuo
    □`□□□□□□□P□□□□□`□□□□□ =□□Q□□□□□Q□□*□□□□□□□P□□`C□@□□□~□□□□□□□pQ□@□□□□□□□□□□□0.□□/□□□□□□□□□□□+□`□□□□□□)□□□□□□□□□□@□□□~□@□□□+□@I□0□□□□□□□□`□□ 2□□y□0□□p$□□□□□□□□□□PP□□X□□,□ □□□o□
  • HKCU\Software\Yahoo\pager
    MD_ID_VALUE
    ID=e0EwN0YzMDYxLTY3QjUtNDU1Qi1CRTMyLUIwMERBOEVBOUE4Nn0=
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    b0 1e b1 16 ff 12 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\kybyvi\vukyece.exe
  • c:\docume~1\support\locals~1\temp\henoyuhuqiwo.exe
  • c:\docume~1\support\locals~1\temp\nsh5.tmp\ymsgr_suite_setup.exe
  • c:\docume~1\support\locals~1\temp\y!.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://insider.msg.yahoo.com/ycontent/stats.php
  • http://rd.software.yahoo.com/msgr/11/ini/ymsgr11_us.ini
  • http://xp.yimg.com/gj/msgr/11/ini/20120529/ymsgr11_us.ini
IP Connections
  • 74.63.250.156:80
DNS Requests
  • insider.msg.yahoo.com
  • installerstats.yahoo.com
  • rd.software.yahoo.com
  • xp.yimg.com

Example 3

File Information

Size
1.2M
SHA-1
7ec7214f7a7afc46f4f6b53e313ec4077d7f56ce
MD5
d6c254114eab2091f59703de7803b3f1
CRC-32
99fd81cf
File type
Windows executable
First seen
2013-02-25

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\jinstall.cfg
    Size
    1.2K
    SHA-1
    9ff0698b32caee0c6d6ad63fcbd4a60d022b81e1
    MD5
    d0a4afb159e776e5be015199f8ade111
    CRC-32
    77959f98
    File type
    Extensible Markup Language (XML)
    First seen
    2013-02-25
  • c:\Documents and Settings\test user\Application Data\Sun\Java\jre1.7.0_15\java_sp.dll
    Size
    603K
    SHA-1
    a1d70f07f6751aacb4159f28c0814da1c1bbfceb
    MD5
    d03824e7251fea47c2b069e34f57d428
    CRC-32
    3479b3c0
    File type
    Unspecified binary - probably data
    First seen
    2012-12-18
  • c:\Documents and Settings\test user\Local Settings\Temp\java.exe
    Size
    876K
    SHA-1
    0cc69873a61873ac4cb25c1037b3d25334aed7fe
    MD5
    9bb4539efc0fd15c702873d7c521d882
    CRC-32
    6775a49c
    File type
    Windows executable
    First seen
    2013-02-25
  • c:\Documents and Settings\test user\Local Settings\Temp\jusched.log
    Size
    53
    SHA-1
    892b7feb52374760cd1967413ac53c16d7cfb029
    MD5
    9e8566a41fca0d6f74ce7a1adbebe5fc
    CRC-32
    9c1cf2c9
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-02-25
  • c:\Documents and Settings\test user\Application Data\Sun\Java\jre1.7.0_15\jre1.7.0_15-c.msi
    Size
    7.8M
    SHA-1
    b6aa9c685064b6619bcefdbf3e7938ef771af497
    MD5
    cab053fbe49685b1bfade7ec2e3e11f2
    CRC-32
    cb7e9040
    File type
    Unspecified binary - probably data
    First seen
    2013-02-25
Processes Created
  • c:\docume~1\support\locals~1\temp\java.exe
  • c:\docume~1\support\locals~1\temp\zazokuruvu.exe
HTTP Requests
  • http://javadl-esd.sun.com/update/1.7.0/1.7.0_15-b03.xml
  • http://javadl-esd.sun.com/update/1.7.0/sp-1.7.0_15-b03/java_sp.dll
  • http://javadl.sun.com/webapps/download/AutoDL
  • http://javadl.sun.com/webapps/download/GetFile/1.7.0_15-b03/windows-i586/Java3BillDevices_en.jpg
  • http://javadl.sun.com/webapps/download/GetFile/1.7.0_15-b03/windows-i586/jre1.7.0_15-c.msi
  • http://sdlc-esd.sun.com/ESD6/JSCDL/jdk/7u15-b03/jre/jre1.7.0_15-c.msi
DNS Requests
  • javadl-esd.sun.com
  • javadl.sun.com
  • sdlc-esd.sun.com

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information