Troj/Zbot-EYJ

Category: Viruses and Spyware Protection available since:05 May 2013 12:51:55 (GMT)
Type: Trojan Last Updated:05 May 2013 12:51:55 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EYJ include:

Example 1

File Information

Size
266K
SHA-1
0b9119c5bb6654e675baec22a05e04dd6895519e
MD5
bd9876e8f238d6d258b5b57cba1bbff8
CRC-32
3b312d9a
File type
Windows executable
First seen
2013-05-04

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Iwlezu\lavyx.tmp
    Size
    661
    SHA-1
    535c6b867fcf4b6e75fd0fdf8966d8b1b6785a83
    MD5
    7c964a4edb5d4741e2833bcaca5a5353
    CRC-32
    3c6ec907
    File type
    Unspecified binary - probably data
    First seen
    2013-05-04
  • c:\Documents and Settings\test user\Application Data\Qimo\urqe.exe
    Size
    266K
    SHA-1
    9ef9e1471a2a9dab1fe33b9670bc3b55954fff7b
    MD5
    30c50b7cd9aadc9ff727c5e767e883ee
    CRC-32
    175613e2
    File type
    Windows executable
    First seen
    2013-05-04
  • c:\Documents and Settings\test user\Application Data\Iwlezu\lavyx.qeq
    Size
    3.8K
    SHA-1
    d0304cb5e8036778b40c97ae1ccf3d52ec460eff
    MD5
    5b37c49fd4d550dbc0ba3f5bd43f51be
    CRC-32
    46aad8c8
    File type
    Unspecified binary - probably data
    First seen
    2013-05-04
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Oxka
    Potohasi
    ?□□Pt□□□□□□□ □□□□□0□□□□□□□□Pt□□□□□□□ □□□□□0□□□□□□□□Pt□□□□□□□ □□□□□0□□□□□□(□□□□0F□□/□□2□@□□@□□□□□□□□Pt□□□□□□□ □□□□□0□□□□□□□□Pt□□□□□□□ □□□□□0□□□□□□□□Pt□□□□□□□ □□□□□0□□□□□□z□PA□□□□P□□□□□□□□@□□□□□□□□Pt□□□□□□□ □□□□□0□□□□□□□□Pt□□□□□□□ □□□□□0□□□□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Qyyveve
    "c:\Documents and Settings\test user\Application Data\Qimo\urqe.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    e8 7f 82 7b 1c 49 ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\qimo\urqe.exe
DNS Requests
  • decembraz.ru
  • itzotnice.ru

Example 2

File Information

Size
266K
SHA-1
9ef9e1471a2a9dab1fe33b9670bc3b55954fff7b
MD5
30c50b7cd9aadc9ff727c5e767e883ee
CRC-32
175613e2
File type
Windows executable
First seen
2013-05-04

download Try Sophos products for free
Download now