Troj/Zbot-ERD

Category: Viruses and Spyware Protection available since:26 Apr 2013 05:13:52 (GMT)
Type: Trojan Last Updated:26 Apr 2013 05:13:52 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-ERD include:

Example 1

File Information

Size
345K
SHA-1
27a4778952bafd644bec06eaa43673d9e14165c6
MD5
8187224242e3b4aa5c8981e24ac9d079
CRC-32
be0c5198
File type
Windows executable
First seen
2013-04-26

Example 2

File Information

Size
345K
SHA-1
2dd91db2a564549a73e38212fcfce5dd709a3e92
MD5
9c1ae8da205b007e7e55b00d514173c9
CRC-32
870a5db6
File type
Windows executable
First seen
2013-04-26

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Geti\wyeh.xyi
    Size
    477
    SHA-1
    90af8c8b606936b3526b13f5497ac188f8172698
    MD5
    11f17aec863786fdb7021b047f61e10f
    CRC-32
    6aa61950
    File type
    Unspecified binary - probably data
    First seen
    2013-04-26
  • c:\Documents and Settings\test user\Application Data\Geti\wyeh.tmp
    Size
    563
    SHA-1
    a5308e5c64d22b7b479e58835d7b2877594ebb44
    MD5
    34d833d25af59291ec1036c424db5f6d
    CRC-32
    3769b45c
    File type
    Unspecified binary - probably data
    First seen
    2013-04-26
  • c:\Documents and Settings\test user\Application Data\Pimed\pycou.exe
    Size
    345K
    SHA-1
    27a4778952bafd644bec06eaa43673d9e14165c6
    MD5
    8187224242e3b4aa5c8981e24ac9d079
    CRC-32
    be0c5198
    File type
    Windows executable
    First seen
    2013-04-26
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {6963B866-C696-D64B-728A-4E976E2393F0}
    "c:\Documents and Settings\test user\Application Data\Pimed\pycou.exe"
  • HKCU\Software\Microsoft\Tuybyq
    Roti
    #□□□!□□□□□5□0□□□□□p□□□□□□□□`a□□N□□A□p□□ □□□□□p□□□□□□□□□□□`h□□□□□□□□A□P□□0-□□□□□□□□=□P□□□□□`d□□□□□□□□\□ □□ □□□□□`:□`b□p□□@P□□□□□□□P□□□□□□□□P□□□□□□v□□□□ ^□□□□□□□□□□`w□□"□p□□□□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    a4 33 03 d9 16 42 ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\pimed\pycou.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://nonstopprofit.net/wallpaper/pier/config.bin
DNS Requests
  • nonstopprofit.net

download Try Sophos products for free
Download now