Troj/Zbot-EKS

Category: Viruses and Spyware Protection available since:01 Apr 2013 04:25:56 (GMT)
Type: Trojan Last Updated:01 Apr 2013 04:25:56 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EKS include:

Example 1

File Information

Size
417K
SHA-1
4568221f26329fc9ae63ecc468a04c11ced2866f
MD5
48662e9415c74669bd36a823ff75f7e2
CRC-32
fe59d4a6
File type
Windows executable
First seen
2007-08-08

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Elcuu\noix.qav
    Size
    1.1K
    SHA-1
    833870be66245671195b62d67df0e936298a3012
    MD5
    2683afc9222873a491bc6ee004c4f275
    CRC-32
    3d193752
    File type
    application/octet-stream
    First seen
    2013-04-01
  • c:\Documents and Settings\test user\Application Data\Ibyvo\uvdef.exe
    Size
    417K
    SHA-1
    d555524cadaad23f71f68047b2867ec4b86c5cff
    MD5
    72db17cb62899772972a3bd3ed6b96f6
    CRC-32
    ff7306cb
    File type
    application/x-ms-dos-executable
    First seen
    2013-04-01
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D589C9C7-DDDC-6D6A-5B45-9AC8F8BCC2A8}
    "c:\Documents and Settings\test user\Application Data\Ibyvo\uvdef.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Tehum
    Weymucb
    □□□□:□`a□□r□ *□□{□`A□@□□□O□□□□□□□p□□□□□ G□□c□0□□0o□□□□□□□□i□□□□□□□ □□@Z□□□□□□□□□□□□□□□□□□□□5□P7□□□□□v□P□□0□□`□□ □□□□□P□□□□□0□□ p□□□□□}□□$□□□□@?□`□□□□□□□□□□□`□□□□□□1□P0□□□□0□□
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    58 8a 25 7a 75 2e ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\ibyvo\uvdef.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://mantourmiao.su/admin/folder/config.bin
DNS Requests
  • mantourmiao.su

Example 2

File Information

Size
297K
SHA-1
7bdb33878070466193eec5c021f9b2a4eca21b2b
MD5
bbd98e211cdf50549111f70f2f208f44
CRC-32
389a96aa
File type
application/x-ms-dos-executable
First seen
2013-04-01

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Kuukat\udbio.tmp
    Size
    563
    SHA-1
    5bed25ad36ffac91abee7e792ec71b0c8a6175a7
    MD5
    50957404f4d22fb444a03a0d90f23f35
    CRC-32
    212f0b05
    File type
    application/octet-stream
    First seen
    2013-04-01
  • c:\Documents and Settings\test user\Application Data\Guucx\xomaa.exe
    Size
    297K
    SHA-1
    7f38b9bfab4fefd6e2073399ea29a839c5631bd7
    MD5
    4b47f498dd7e9a10f4b0891a4868cb46
    CRC-32
    72dc0d9d
    File type
    application/x-ms-dos-executable
    First seen
    2013-04-01
  • c:\Documents and Settings\test user\Application Data\Kuukat\udbio.eza
    Size
    477
    SHA-1
    9127e4ba2f6230d381a83fcd6443c69bf1395aad
    MD5
    5c36de9454231b96536604721d9b96ee
    CRC-32
    d590cd31
    File type
    application/octet-stream
    First seen
    2013-04-01
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Ekalb
    Uxephaugz
    Y;□p□□□B□□l□ □□□]□p□□□□□Pv□□□□□□□□\□ □□□□□ □□□a□P□□0□□`□□□P□□□□□3□p□□□□□□□□0□□p^□`□□□□□ <□□r□p□□□^□ □□□□□□□□□□□□&□□□□p□□0Q□□□□0T□□□□□□□□□□□X□□c□0□□□9□ □□□]□□□□□□□□)□□□□□□□□n□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {9B8CA0D0-0E2F-FD69-33A2-D964A19BBA05}
    "c:\Documents and Settings\test user\Application Data\Guucx\xomaa.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    1e 4f 49 11 76 2e ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
Processes Created
  • c:\Documents and Settings\test user\application data\guucx\xomaa.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://mails.3utilities.com/aliboy/config.bin
DNS Requests
  • mails.3utilities.com

download Try Sophos products for free
Download now