Troj/Zbot-EYB

Category: Viruses and Spyware Protection available since:04 May 2013 17:58:20 (GMT)
Type: Trojan Last Updated:04 May 2013 17:58:20 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EYB include:

Example 1

File Information

Size
289K
SHA-1
2773da73a8549bb2785b093e89365c5a1a181f57
MD5
b52f261e29c23ec2e92451f449880e18
CRC-32
a078d167
File type
Windows executable
First seen
2013-05-04

Example 2

File Information

Size
289K
SHA-1
c205c084c43dc4207397251ddc8d8f434a845ad8
MD5
b8d9b77c93d7e924ff4b701f73253f19
CRC-32
e7f1e6fe
File type
Windows executable
First seen
2007-08-12

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Azgi\apmi.yks
    Size
    477
    SHA-1
    164ae0a16518e8f47330c178a8849291a57306e2
    MD5
    f09bdf3d5d9051ee25a3a5437b88c3eb
    CRC-32
    0869d9da
    File type
    Unspecified binary - probably data
    First seen
    2013-05-04
  • c:\Documents and Settings\test user\Application Data\Azgi\apmi.tmp
    Size
    563
    SHA-1
    b86d0b941677a0f33988e717ac361030f2a3e74d
    MD5
    95fc2be70f13308ad8a3bbcfd1296f10
    CRC-32
    81fcf401
    File type
    Unspecified binary - probably data
    First seen
    2013-05-04
  • c:\Documents and Settings\test user\Application Data\Fioh\otaf.exe
    Size
    289K
    SHA-1
    2773da73a8549bb2785b093e89365c5a1a181f57
    MD5
    b52f261e29c23ec2e92451f449880e18
    CRC-32
    a078d167
    File type
    Windows executable
    First seen
    2013-05-04
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Cetas
    Ollo
    □*□`L□0□□p□□`□□□)□□□□□o□P□□p□□□□□□□□@□□p□□□□□`j□□□□`V□□□□□□□p□□□ □□□□□□□□□□□□□□`□P□□□□□0L□`□□P□□@□□ □□□'□□□□□□□□#□□<□□.□□$□`□□PR□□S□□□□p□□□□□□□`□□P□□□□□□□□□□□□□□ □□p□□0□□@'□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {73420881-E8A7-F50A-6843-A516C6EDC68E}
    "c:\Documents and Settings\test user\Application Data\Fioh\otaf.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    1c 4e cb fa d4 48 ce 01
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\fioh\otaf.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://truepeople.co.in/qwt/ext2.bin
DNS Requests
  • truepeople.co.in

download Try Sophos products for free
Download now