Troj/Zbot-EDF

Category: Viruses and Spyware Protection available since:09 Mar 2013 22:42:13 (GMT)
Type: Trojan Last Updated:09 Mar 2013 22:42:13 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EDF include:

Example 1

File Information

Size
701K
SHA-1
ac4936b4d2fe78848e4b48428198a3ddb4a8b64d
MD5
13d926dc984b7ebdee2a5889d27435d9
CRC-32
43d63612
File type
Windows executable
First seen
2013-03-09

Example 2

File Information

Size
701K
SHA-1
f2c8e14e4eee845a39ca448fd569a53413f787da
MD5
35804b436e19c386a0edd5bd94a22087
CRC-32
4dc6ccdf
File type
Windows executable
First seen
2013-03-09

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Urdi\ifwu.exe
    Size
    701K
    SHA-1
    ac4936b4d2fe78848e4b48428198a3ddb4a8b64d
    MD5
    13d926dc984b7ebdee2a5889d27435d9
    CRC-32
    43d63612
    File type
    Windows executable
    First seen
    2013-03-09
  • c:\Documents and Settings\test user\Application Data\Ylwe\elno.zou
    Size
    477
    SHA-1
    9baab02749c8d430dd263e68e21f0ee67f120e34
    MD5
    a62124c2736febcadc120657c30730c0
    CRC-32
    8a60647f
    File type
    Unspecified binary - probably data
    First seen
    2013-03-09
  • c:\Documents and Settings\test user\Local Settings\Temp\Ichito.pdf
    Size
    165K
    SHA-1
    c0598179c69262ca8fdaef37dc8a136ce3471dac
    MD5
    31db273e4adf3ce16d25f3b238c90dfd
    CRC-32
    92dbafa2
    File type
    Adobe Portable Document Format (PDF)
    First seen
    2013-03-09
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Fitod
    Meviive
    □□□p□□□□□ □□□□□□□□□□□@□□□□□□□□0□□□□□□□□py□□H□p□□□)□□□□@□□□□□0=□□□□□□□□)□0□□0□□□!□□□□p=□□□□□Z□□□□□p□p□□`□□P□□□R□□□□@□□□□□`9□@□□`□□□,□□□□□+□□|□@q□0□□□^□□□□p□□□□□□>□□Q□□□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {9BE70FB6-7C59-72A2-0A75-AD3F8FEDF619}
    "c:\Documents and Settings\test user\Application Data\Urdi\ifwu.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    14 5b 6d 55 e1 1c ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\urdi\ifwu.exe
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://fullcolor7.com/index/config.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • fullcolor7.com
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now