Troj/Zbot-EKF

Category: Viruses and Spyware Protection available since:29 Mar 2013 15:35:46 (GMT)
Type: Trojan Last Updated:29 Mar 2013 15:35:46 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-EKF exhibits the following characteristics:

File Information

Size
196K
SHA-1
2df362a3620b36634ad0da4246ebb0ef96df1ac9
MD5
2b927f5822f94112767494c70d2e2359
CRC-32
c7499f86
File type
Windows executable
First seen
2013-03-26

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Yhugigp\icbaob.tmp
    Size
    563
    SHA-1
    57997a97775d2e9fedb11038154c9aa5d8282ce7
    MD5
    69e1c9505110c04015d55e2bf3045501
    CRC-32
    5bd47c28
    File type
    application/octet-stream
    First seen
    2013-03-29
  • c:\Documents and Settings\test user\Application Data\Yhugigp\icbaob.zea
    Size
    477
    SHA-1
    73f458385594eeebbcdf33cd60878d01182a1b9f
    MD5
    c14942f370e4e0a7144c4803243a37ec
    CRC-32
    199a2dac
    File type
    application/octet-stream
    First seen
    2013-03-29
  • c:\Documents and Settings\test user\Application Data\Exill\risiez.exe
    Size
    196K
    SHA-1
    a855009cf3d5d47236dbcc96f3b082d88e724b3a
    MD5
    b3245d0235f6cd0f8de28798e14293ac
    CRC-32
    da426174
    File type
    application/x-ms-dos-executable
    First seen
    2013-03-29
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D334D4CE-FE69-07E8-056C-EFD5412237F7}
    "c:\Documents and Settings\test user\Application Data\Exill\risiez.exe"
  • HKCU\Software\Microsoft\Emva
    Niopavq
    2□□□□□□□□□9□□+□□□□□□□□□□ □□□□□□□□P□□□y□0□□□U□□□□□□□`□□□□□@c□@B□□□□□B□□□□□\□□.□□~□□□□□E□□Q□□□□0□□@U□□□□□O□p□□□□□`,□□□□@□□p□□□ □P□□□□□□3□p□□ x□□□□p□□□□□□G□@□□□□□P□□`□□□□□□□□□Z□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    58 56 4b cc 60 2c ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\exill\risiez.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • doitqicktlaw.ru

download Try Sophos products for free
Download now