Troj/Zbot-EMT

Category: Viruses and Spyware Protection available since:07 Apr 2013 06:12:00 (GMT)
Type: Trojan Last Updated:07 Apr 2013 06:12:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EMT include:

Example 1

File Information

Size
202K
SHA-1
4159d75da4e3233e37c3e6b0c61df29c2dfea5aa
MD5
b43d0739c9dc0c7cde5b8a3ecc7757ef
CRC-32
fc676d60
File type
Windows executable
First seen
2013-04-06

Example 2

File Information

Size
202K
SHA-1
d2cb1d786dd24b050571a6150b13cbeda9355b91
MD5
801f25b774e349cbcd1010d0a5bf4f35
CRC-32
e4bfbe33
File type
Windows executable
First seen
2013-04-06

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Kyef\obaffua.fof
    Size
    477
    SHA-1
    9054f7d0923b7f5afb71d9276cdec74e84a15f85
    MD5
    b3bbaaab5221c08b611ccd615b95b638
    CRC-32
    39e1386a
    File type
    Unspecified binary - probably data
    First seen
    2013-04-06
  • c:\Documents and Settings\test user\Application Data\Kyef\obaffua.tmp
    Size
    563
    SHA-1
    7086dca3a1eac61ce49268fbf73f7fe974ac9524
    MD5
    8f72788fd29788b803d4c96ac0ad9c60
    CRC-32
    e110d3a2
    File type
    Unspecified binary - probably data
    First seen
    2013-04-06
  • c:\Documents and Settings\test user\Application Data\Amahen\aliqynu.exe
    Size
    202K
    SHA-1
    4159d75da4e3233e37c3e6b0c61df29c2dfea5aa
    MD5
    b43d0739c9dc0c7cde5b8a3ecc7757ef
    CRC-32
    fc676d60
    File type
    Windows executable
    First seen
    2013-04-06
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Ifahan
    Teigziug
    TL□`a□@□□pF□ □□□i□□9□ #□□□□0p□□&□□□□□}□@>□□u□□□□□□□□]□□N□□□□ □0;□pc□p□□□o□□>□p□□□A□po□□S□□'□□□□pz□□□□□□□□□□□□□□□□P□□□□□@□□@m□□□□`□□pu□□\□□□□□□□□□□□□□□□□□□□□b□P□□□□□0@□□u□□R□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {EE6B86AE-6B0E-82BB-9270-A8FBA7F8FC4B}
    "c:\Documents and Settings\test user\Application Data\Amahen\aliqynu.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    76 2d ea 1e f1 32 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
Processes Created
  • c:\Documents and Settings\test user\application data\amahen\aliqynu.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • earthnetcomgroup.ru

download Try Sophos products for free
Download now