Troj/Zbot-EYP

Category: Viruses and Spyware Protection available since:13 May 2013 07:05:41 (GMT)
Type: Trojan Last Updated:13 May 2013 07:05:41 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-EYP exhibits the following characteristics:

File Information

Size
509K
SHA-1
38f5e1c930136b389270cad13f568938b1e72e6f
MD5
ce71b1812822110b746d5cc3539d2dea
CRC-32
cc1d048d
File type
Windows executable
First seen
2013-05-13

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Sysu\asuku.tmp
    Size
    563
    SHA-1
    699dd8dd00d466d14a7926d5194e4bc9546793a2
    MD5
    7b402d982e6486b4ebce7d2a5b3fcafb
    CRC-32
    aab96e55
    File type
    Unspecified binary - probably data
    First seen
    2013-05-13
  • c:\Documents and Settings\test user\Application Data\Icxuqo\rafei.exe
    Size
    509K
    SHA-1
    4b7b9e6a289dc67c5fa85bbfc4119fcca2794428
    MD5
    cbfcbae7fb48ddaa6143f6befcfbb7ce
    CRC-32
    2463d439
    File type
    Windows executable
    First seen
    2013-05-13
  • c:\Documents and Settings\test user\Application Data\Sysu\asuku.veo
    Size
    477
    SHA-1
    76d03df772e18f690945e78ab5a6a599e818cb2c
    MD5
    620928697f5537de0e1b9dc7dfa2d54c
    CRC-32
    6e1c6dea
    File type
    Unspecified binary - probably data
    First seen
    2013-05-13
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {566F1A39-3EB9-B926-9BC7-6510823D0864}
    "c:\Documents and Settings\test user\Application Data\Icxuqo\rafei.exe"
  • HKCU\Software\Microsoft\Yblepu
    Maemryohx
    □□□□□□P□□□9□□□□□C□□%□@!□□□□□□□□□□□+□□□□□e□□□□0□□0□□P□□□□□`□□ □□□□□ □□@q□□Y□□t□□u□□=□□I□`□□□□□P□□ □□ *□□□□□□□□□□□□□`□□□□□ps□□□□□□□0□□0□□pE□0&□□7□□□□□i□□□□□□□@2□□4□□□□@#□`□□□□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    24 11 4c 29 8b 4f ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\icxuqo\rafei.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://95.211.211.91/office/adesewa/server/format.bin
IP Connections
  • 95.211.211.91:80

download Try Sophos products for free
Download now