Troj/Zbot-EAX

Category: Viruses and Spyware Protection available since:27 Feb 2013 12:50:10 (GMT)
Type: Trojan Last Updated:27 Feb 2013 12:50:10 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-EAX exhibits the following characteristics:

File Information

Size
1.1M
SHA-1
9766d1d8a3a21062930a67d0b224d27a6fe38b1a
MD5
386c340bd8f4a4ccdd332115e6be0455
CRC-32
b672d29c
File type
application/x-ms-dos-executable
First seen
2013-02-27

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Sun\Java\jre1.7.0_13\java_sp.dll
    Size
    603K
    SHA-1
    a1d70f07f6751aacb4159f28c0814da1c1bbfceb
    MD5
    d03824e7251fea47c2b069e34f57d428
    CRC-32
    3479b3c0
    File type
    Unspecified binary - probably data
    First seen
    2012-12-18
  • c:\Documents and Settings\test user\Application Data\Ysnyi\qeom.cay
    Size
    477
    SHA-1
    315891a8f6591f57985bac4f37636b1e8a830eec
    MD5
    d3bc3b8e86bdf20fecda0728f3a03122
    CRC-32
    4d53f1a4
    File type
    Unspecified binary - probably data
    First seen
    2013-02-27
  • c:\Documents and Settings\test user\Local Settings\Temp\JavaSetup7u13.exe
    Size
    877K
    SHA-1
    43abc1d365c18b9e44cc75b5958f6117add86322
    MD5
    51ec3319fbcfadb7954fab295961f430
    CRC-32
    e08ecf80
    File type
    Windows executable
    First seen
    2013-02-23
  • c:\Documents and Settings\test user\Local Settings\Temp\jinstall.cfg
    Size
    1.2K
    SHA-1
    2576efbec69e87b196771b02c8a42966c1ca685d
    MD5
    7d4b9766dc1dbeeca1a8feb0af8082c3
    CRC-32
    cf4969fc
    File type
    Extensible Markup Language (XML)
    First seen
    2013-02-21
  • c:\Documents and Settings\test user\Local Settings\Temp\jusched.log
    Size
    53
    SHA-1
    9a0d946b42fc275613ad0c3b43ef2d3dcd1bc0ca
    MD5
    60d55702215942aebc78d79bf2364f28
    CRC-32
    77d42f87
    File type
    application/octet-stream
    First seen
    2013-02-27
  • c:\Documents and Settings\test user\Application Data\Owan\uxpu.exe
    Size
    1.1M
    SHA-1
    d0223d2bd2c13fb67286beb3675213a16c6f2880
    MD5
    a3c41f33ee95c5387365a8c21f955605
    CRC-32
    96e4e9de
    File type
    Windows executable
    First seen
    2013-02-27
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {1D0F9F0D-ADA3-1231-A6D4-6C7C625C3321}
    "c:\Documents and Settings\test user\Application Data\Owan\uxpu.exe"
  • HKCU\Software\Microsoft\Ryzyl
    Efuloret
    9□□□□□□□□P□□□$□□S□□,□P□□□R□□□□ 7□□□□p}□□2□@□□p□□ □□□□□ □□□i□0□□0S□□6□□□□0Y□@6□`□□□.□ □□□□□0□□□□@□□□s□ □□□□□□G□0□□□;□□T□□□□`&□pH□□□□□□□0[□□=□□□□@□□□)□□a□□l□□□□□n□p□□□□□□□□P0□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    32 f8 59 ae c0 14 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\owan\uxpu.exe
  • c:\docume~1\support\locals~1\temp\dowoqoga.exe
  • c:\docume~1\support\locals~1\temp\javasetup7u13.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://javadl-esd.sun.com/update/1.7.0/1.7.0_13-b20.xml
  • http://javadl-esd.sun.com/update/1.7.0/sp-1.7.0_13-b20/java_sp.dll
  • http://javadl.sun.com/webapps/download/AutoDL
  • http://javadl.sun.com/webapps/download/GetFile/1.7.0_13-b20/windows-i586/Java3BillDevices_en.jpg
  • http://javadl.sun.com/webapps/download/GetFile/1.7.0_13-b20/windows-i586/jre1.7.0_13-c.msi
IP Connections
  • 216.176.190.179:80
DNS Requests
  • javadl-esd.sun.com
  • javadl.sun.com
  • sdlc-esd.sun.com
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now