Troj/Zbot-EHY

Category: Viruses and Spyware Protection available since:21 Mar 2013 20:36:50 (GMT)
Type: Trojan Last Updated:23 Mar 2013 00:16:06 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EHY include:

Example 1

File Information

Size
40K
SHA-1
4f02cb6e967d73986d1e0222bdceefdba6823472
MD5
fb34c5e9134872aa69a0ed49ec3aab76
CRC-32
414b936d
File type
Windows executable
First seen
2013-03-20

Runtime Analysis

Copies Itself To
  • C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Sophos Client Firewall Manager
    (Default)
    service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Base
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E96F-E325-11CE-BFC1-08002BE10318}
    (Default)
    Mouse
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
    (Default)
    Human Interface Devices
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E969-E325-11CE-BFC1-08002BE10318}
    (Default)
    Standard floppy disk controller
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Sophos Client Firewall
    (Default)
    service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\SCSI Class
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E977-E325-11CE-BFC1-08002BE10318}
    (Default)
    PCMCIA Adapters
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\LmHosts
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Netlogon
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\SRService
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E975-E325-11CE-BFC1-08002BE10318}
    (Default)
    NetTrans
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\DcomLaunch
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmio.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\CryptSvc
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\rdpcdd.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E969-E325-11CE-BFC1-08002BE10318}
    (Default)
    Standard floppy disk controller
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
    (Default)
    Volume
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetMan
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
    (Default)
    Human Interface Devices
  • HKCU\Software\Microsoft\Windows\CurrentVersion
    DNS
    c:\test_item.exe
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E96F-E325-11CE-BFC1-08002BE10318}
    (Default)
    Mouse
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\AppMgmt
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E97B-E325-11CE-BFC1-08002BE10318}
    (Default)
    SCSIAdapter
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Streams Drivers
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
    (Default)
    Volume
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\DnsCache
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\HelpSvc
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\AppMgmt
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetworkProvider
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\PCI Configuration
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Messenger
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\rdpwd.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\EventLog
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmboot.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Filter
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmserver
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NDIS Wrapper
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmload.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\ip6fw.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E980-E325-11CE-BFC1-08002BE10318}
    (Default)
    Floppy disk drive
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\LanmanServer
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Boot Bus Extender
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\TDI
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\vds
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Network
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\WinMgmt
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\vgasave.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\PCI Configuration
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Primary disk
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Tcpip
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\SAVService
    (Default)
    service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E974-E325-11CE-BFC1-08002BE10318}
    (Default)
    NetService
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmadmin
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\vgasave.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Boot file system
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\EventLog
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NtLmSsp
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\SharedAccess
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetDDEGroup
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Netlogon
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\RpcSs
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetBT
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\WinMgmt
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Filter
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\HelpSvc
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\LanmanWorkstation
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\File system
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Boot file system
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmio.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E96A-E325-11CE-BFC1-08002BE10318}
    (Default)
    Hdc
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\termservice
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\PNP_TDI
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\tdtcp.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E96B-E325-11CE-BFC1-08002BE10318}
    (Default)
    Keyboard
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\sermouse.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\System Bus Extender
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetBIOS
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\vga.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\sr.sys
    (Default)
    FSFilter System Recovery
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Base
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E97B-E325-11CE-BFC1-08002BE10318}
    (Default)
    SCSIAdapter
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmadmin
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E97D-E325-11CE-BFC1-08002BE10318}
    (Default)
    System
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E972-E325-11CE-BFC1-08002BE10318}
    (Default)
    Net
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E973-E325-11CE-BFC1-08002BE10318}
    (Default)
    NetClient
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\ipnat.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\rdsessmgr
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E96A-E325-11CE-BFC1-08002BE10318}
    (Default)
    Hdc
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    MigAutoPlay
    "C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe"
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\vga.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\WZCSVC
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Browser
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E980-E325-11CE-BFC1-08002BE10318}
    (Default)
    Floppy disk drive
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{36FC9E60-C465-11CF-8056-444553540000}
    (Default)
    Universal Serial Bus controllers
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Ndisuio
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{36FC9E60-C465-11CF-8056-444553540000}
    (Default)
    Universal Serial Bus controllers
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\PlugPlay
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\File system
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\rdpdd.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\sermouse.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\tdpipe.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Dhcp
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Boot Bus Extender
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\SRService
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E977-E325-11CE-BFC1-08002BE10318}
    (Default)
    PCMCIA Adapters
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Primary disk
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\sr.sys
    (Default)
    FSFilter System Recovery
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{533C5B84-EC70-11D2-9505-00C04F79DEAF}
    (Default)
    Volume shadow copy
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E97D-E325-11CE-BFC1-08002BE10318}
    (Default)
    System
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NDIS
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmload.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\PNP Filter
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\System Bus Extender
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\PlugPlay
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\SCSI Class
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmboot.sys
    (Default)
    Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetBIOSGroup
    (Default)
    Driver Group
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\CryptSvc
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E96B-E325-11CE-BFC1-08002BE10318}
    (Default)
    Keyboard
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\SAVService
    (Default)
    service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\AFD
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmserver
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\DcomLaunch
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\RpcSs
    (Default)
    Service
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\PNP Filter
    (Default)
    Driver Group
Processes Created
  • c:\windows\system32\svchost.exe

Example 2

File Information

Size
278K
SHA-1
5bd6a1a6091494e1da422789098d62111951ae2d
MD5
48e5f17421c0781873e0ad946fb9e510
CRC-32
90bd7a22
File type
Windows executable
First seen
2013-03-20

Runtime Analysis

Dropped Files
  • C:\WINDOWS\Tasks\ssvegla.job
    Size
    276
    SHA-1
    0eb462a67ee3be32a340772a12bd946a6a6ae255
    MD5
    653595fc3bea7c03b1704bd3f76971d6
    CRC-32
    b28c18b7
    File type
    Unspecified binary - probably data
    First seen
    2013-03-20
  • C:\Documents and Settings\All Users\Application Data\Mozilla\entthaf.exe
    Size
    278K
    SHA-1
    0c42ea992d43a110e1d5c75c31d6998e80673384
    MD5
    4bbbd3a91cdced0bbe91672aa8d03cce
    CRC-32
    55dd71ab
    File type
    Windows executable
    First seen
    2013-03-20

Example 3

File Information

Size
282K
SHA-1
6951e3543a788bf62508fe9529f7cc1490178023
MD5
52765ec322aa5b83015cdb03d30eae4f
CRC-32
e803bb30
File type
Windows executable
First seen
2013-03-20

Runtime Analysis

Dropped Files
  • C:\WINDOWS\Tasks\ssvegla.job
    Size
    276
    SHA-1
    6f1dd34c3f821e0d24d4ea2767b1f68e4f94751b
    MD5
    cdb64a9c829854de8fbaafaaed7ef62f
    CRC-32
    caf0c221
    File type
    Unspecified binary - probably data
    First seen
    2013-03-20
  • C:\Documents and Settings\All Users\Application Data\Mozilla\entthaf.exe
    Size
    282K
    SHA-1
    a588f6f47bf5f25e353cb1721d6207c667e0c6fb
    MD5
    c267c8d6a0bc2f39297434eb268ce24c
    CRC-32
    804e50c7
    File type
    Windows executable
    First seen
    2013-03-20

download Try Sophos products for free
Download now