Troj/Zbot-EUF

Category: Viruses and Spyware Protection available since:26 Apr 2013 07:16:14 (GMT)
Type: Trojan Last Updated:19 Feb 2014 17:48:56 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EUF include:

Example 1

File Information

Size
1.2M
SHA-1
1c2235de66fcaa5c8943c7907f25fce23fc85fa3
MD5
48456870842c127372c56d841292d38e
CRC-32
f430d86d
File type
Windows executable
First seen
2013-04-25

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\sms.exe
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Windows Messages Controler
    c:\windows\sms.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\test_item.exe
    c:\windows\sms.exe:*:Enabled:Windows Messages Controler
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Windows Messages Controler
    c:\windows\sms.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
    Start Page
    fbdirecto.net/1/
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
    Windows Messages Controler
    c:\windows\sms.exe
Registry Keys Modified
  • HKCU\Software\Microsoft\Internet Explorer\Main
    Start Page
    fbdirecto.net/1/
Processes Created
  • c:\windows\sms.exe
  • c:\windows\system32\netsh.exe

Example 2

File Information

Size
348K
SHA-1
7d4d12db41ff7789d3f25b7a47788b0e348d7c10
MD5
042e9386576562b2648ef71ed00b682d
CRC-32
9d245e94
File type
Windows executable
First seen
2013-04-25

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Yxtyfa\axoh.tmp
  • c:\Documents and Settings\test user\Application Data\Kiuqu\isze.exe
    Size
    348K
    SHA-1
    99c57e3ffff9e9a0c87451283503337771d7ddf3
    MD5
    2ded50875594d0e40b3ea0378c4127c5
    CRC-32
    9ff8b3a1
    File type
    Windows executable
    First seen
    2013-04-25
  • c:\Documents and Settings\test user\Local Settings\Temp\file.exe
    Size
    348K
    SHA-1
    99c57e3ffff9e9a0c87451283503337771d7ddf3
    MD5
    2ded50875594d0e40b3ea0378c4127c5
    CRC-32
    9ff8b3a1
    File type
    Windows executable
    First seen
    2013-04-25
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {FA71AD8F-3564-7EE8-7C0A-951BD2DC7BED}
    "c:\Documents and Settings\test user\Application Data\Kiuqu\isze.exe"
  • HKCU\Software\Microsoft\Ofek
    Opkeek
    k□□□□□□ □□□□□A□□U□ □□□□□P□□P□□□□□□□□□□□□□□ □□`□□□□□□9□□□□□□□ a□□?□□8□□□□□□□0□□□□□□□□□v□P□□□T□□□□□□□ □□□□□@□□□P□□v□□□□`□□□□□`□□`4□□□□ □□□□□□□□0□□□□□ □□@□□□l□□□□□□□ )□□i□@"□□□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\kiuqu\isze.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://207.45.178.42/~hqycwfdb/fed/config.bin
IP Connections
  • 207.45.178.42:80

Example 3

File Information

Size
348K
SHA-1
c865f31f759690873fe408635a4c50be45a7d2d5
MD5
660ddb3456ae428eb3204ab0e5de4189
CRC-32
c2573d77
File type
Windows executable
First seen
2013-04-25

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\file.exe

download Try Sophos products for free
Download now