Troj/Zbot-EYC

Category: Viruses and Spyware Protection available since:04 May 2013 17:58:20 (GMT)
Type: Trojan Last Updated:04 May 2013 17:58:20 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EYC include:

Example 1

File Information

Size
897K
SHA-1
7dafbdf8a0716ff12d4bfd0af4275d46c9f26bd7
MD5
ff59f6990a44e4a98835f72a8e2716e8
CRC-32
0a76d443
File type
Windows executable
First seen
2013-05-04

Example 2

File Information

Size
897K
SHA-1
bf6b3ef799fbc4731aefa833409aedda23177a94
MD5
1548b67d5be8ebbce17906d9ed21ec18
CRC-32
b7edcaf8
File type
Windows executable
First seen
2007-08-12

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Addyot\ehyhsu.onv
    Size
    477
    SHA-1
    359cc81b9a657fdd2fa032dd555b5cfc6f6d0e7c
    MD5
    83f0ea56dd5643c953eac0c43f9af035
    CRC-32
    6ce2b095
    File type
    Unspecified binary - probably data
    First seen
    2013-05-04
  • c:\Documents and Settings\test user\Application Data\Addyot\ehyhsu.tmp
    Size
    563
    SHA-1
    303fea961b07f494fdc48ce26eb48c02285d461c
    MD5
    980595bab98b707b1989d4f3305b009a
    CRC-32
    2804824a
    File type
    Unspecified binary - probably data
    First seen
    2013-05-04
  • c:\Documents and Settings\test user\Application Data\Ifyraze\esomfai.exe
    Size
    897K
    SHA-1
    7dafbdf8a0716ff12d4bfd0af4275d46c9f26bd7
    MD5
    ff59f6990a44e4a98835f72a8e2716e8
    CRC-32
    0a76d443
    File type
    Windows executable
    First seen
    2013-05-04
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {9BB4AE73-CB78-BDB2-2F99-EC9EDD149165}
    "c:\Documents and Settings\test user\Application Data\Ifyraze\esomfai.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Uziwdi
    Uhekas
    k□□□□□□□□□□□P□□□:□□^□□□□□c□Pf□□□□`□□□□□□□□ !□ □□□□□□w□□□□□>□P□□□0□□□□□□□□;□`i□p'□□u□□□□□\□□□□□□□□□□p□□□□□P□□@□□ □□ □□□1□□D□□□□□□□@□□p}□□y□□s□P□□p□□0□□□□□P□□□□□`□□□M□□□□□□□`i□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    12 64 d2 05 d5 48 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\ifyraze\esomfai.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • svv.yenchellam.biz

download Try Sophos products for free
Download now