Troj/Zbot-EUN

Category: Viruses and Spyware Protection available since:26 Apr 2013 15:26:05 (GMT)
Type: Trojan Last Updated:26 Apr 2013 15:26:05 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-EUN exhibits the following characteristics:

File Information

Size
465K
SHA-1
70dedf57fe75fb5f067250e41d9612d393c03f5c
MD5
50fbfbf104d10023b5b12e12bd4e99af
CRC-32
575a4b68
File type
Windows executable
First seen
2013-04-26

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Hyetov\yhpay.veu
    Size
    477
    SHA-1
    c9168cc785df9bdef072f6db5b2fbad160f0ec65
    MD5
    9d28cc6e930a67fa37745469085007e3
    CRC-32
    24e4cb06
    File type
    Unspecified binary - probably data
    First seen
    2013-04-26
  • c:\Documents and Settings\test user\Application Data\Boaf\xaevz.exe
    Size
    465K
    SHA-1
    e729e254e86cb0bed37cab11857d661d02b20dfc
    MD5
    f3a06bb62b46207368a8c51254ac49c2
    CRC-32
    96f9fdd2
    File type
    Windows executable
    First seen
    2013-04-26
  • c:\Documents and Settings\test user\Application Data\Hyetov\yhpay.tmp
    Size
    563
    SHA-1
    47cc30af59d750dde617875e888cbae2fc10d990
    MD5
    8dd1fc363f780ae04eb2fa67a68b7f20
    CRC-32
    113c2504
    File type
    Unspecified binary - probably data
    First seen
    2013-04-26
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Piodn
    Zuce
    □□□ □□□□□@1□□□□@□□□P□□□□□□□@□□□□□□n□□□□□□□□□□□@□ "□□□□`X□@□□□□□□□□□□□□l□□□□□□□0+□@□□□□□□?□□□□P□□□□□□z□ h□□>□`b□p{□□8□□'□@□□ P□@1□□V□@□□□S□□z□□□□□8□p□□ w□□□□0□□`□□p□□@>□□P□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {3C04298E-9690-ED2F-96FD-FD40DDF8DFA1}
    "c:\Documents and Settings\test user\Application Data\Boaf\xaevz.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    32 15 11 a4 7d 42 ce 01
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\boaf\xaevz.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://37.0.122.119/loco-office/ode/server/format.bin
IP Connections
  • 37.0.122.119:80

download Try Sophos products for free
Download now