Troj/Zbot-EBN

Category: Viruses and Spyware Protection available since:09 Mar 2013 07:47:37 (GMT)
Type: Trojan Last Updated:09 Mar 2013 07:47:37 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EBN include:

Example 1

File Information

Size
532K
SHA-1
510f78a210725efd3a01aaa61cc6e8568e27d4a3
MD5
aee92617a5f0202f14b9eb9d717725e4
CRC-32
b0274e8d
File type
Windows executable
First seen
2013-03-09

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Ysunz\zykaag.asr
    Size
    477
    SHA-1
    3cd610eddd158662fb8639f6afa5785ee1eb2263
    MD5
    bcb31d2d1f33657596cc8b9af3429a83
    CRC-32
    d48326ed
    File type
    Unspecified binary - probably data
    First seen
    2013-03-09
  • c:\Documents and Settings\test user\Application Data\Azecdi\ugvyzua.exe
    Size
    455K
    SHA-1
    9ddbb1106a6bcbc47a08ae8a2b64f38d71fc1c61
    MD5
    0a0d18ba4524d530f819fd5fc3b5dd38
    CRC-32
    7a7ea0c9
    File type
    Windows executable
    First seen
    2013-03-09
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\WinRAR SFX
    C%%DOCUME~1%support%LOCALS~1%Temp
    C:\DOCUME~1\support\LOCALS~1\Temp
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Owogka
    Udigzuyv
    □□□`□□□v□p□□□5□0R□□□□□□□ □□□□□□&□□g□□□□ D□ □□P□□ □□P□□□□□□□□ □□ □□□*□□□□□x□@c□□□□0□□□□□P□□0□□□ □0P□□Q□`i□□%□ph□□S□p□□□□pH□□m□P□□□□□`p□□,□□8□□□□P□□P3□□□□□□□□□□□9□@□□□□□□|□@#□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {FD61411B-E17C-225B-0E8B-B323D864978E}
    "c:\Documents and Settings\test user\Application Data\Azecdi\ugvyzua.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    9e c8 5b cb 6c 1c ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\azecdi\ugvyzua.exe
  • c:\docume~1\support\locals~1\temp\theg.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • thegreencamelkenya.com

Example 2

File Information

Size
455K
SHA-1
9ddbb1106a6bcbc47a08ae8a2b64f38d71fc1c61
MD5
0a0d18ba4524d530f819fd5fc3b5dd38
CRC-32
7a7ea0c9
File type
Windows executable
First seen
2013-03-09

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information