Troj/Zbot-FAX

Category: Viruses and Spyware Protection available since:13 May 2013 07:05:41 (GMT)
Type: Trojan Last Updated:13 May 2013 07:05:41 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-FAX include:

Example 1

File Information

Size
509K
SHA-1
1c23647ed63adc88d024d551318b9635f10f5427
MD5
ee60a4f2b58267056697003e958cda4f
CRC-32
ac98d531
File type
Windows executable
First seen
2013-05-13

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Zues\owuf.liz
    Size
    477
    SHA-1
    f5e94d2a3109c202eb2d7231d18a647f994864d2
    MD5
    ec6c402ab2f4b0715f877fce32f0c4ab
    CRC-32
    1a3d1ed8
    File type
    Unspecified binary - probably data
    First seen
    2013-05-13
  • c:\Documents and Settings\test user\Application Data\Foep\ebqui.exe
    Size
    509K
    SHA-1
    9c9b3f1904522841cf32fb227737ada02519195b
    MD5
    26737058d8bd7980cce3f22b290d244e
    CRC-32
    40e75032
    File type
    Windows executable
    First seen
    2013-05-13
  • c:\Documents and Settings\test user\Application Data\Zues\owuf.tmp
    Size
    563
    SHA-1
    3dba02ecbd9e0396105b6e5dc857de9726a51c5d
    MD5
    431d1f67457da4c655aaa68bc64bfb2a
    CRC-32
    d96f5462
    File type
    Unspecified binary - probably data
    First seen
    2013-05-13
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {CE35014A-A7F1-24AA-5AFE-ACB852618119}
    "c:\Documents and Settings\test user\Application Data\Foep\ebqui.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Owdyxe
    Pido
    □□□P□□□□□ □□P□□□)□0□□p□□Po□□e□`H□□□□□□□p:□□□□0□□□□□@□□□t□□□□@□□0□□□□□P□□□%□□□□□□□ v□□□□@□□□+□□□□□e□□□□□R□□7□□y□□□□□□□□□□Pl□0□□□□□p□□□□□ □□□□□0z□`□□□5□□2□P□□P□□□\□p□□0□□□□□□□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    d4 3e a4 25 8b 4f ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\foep\ebqui.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://80.82.78.84/office/prudent/server/format.bin
IP Connections
  • 80.82.78.84:80

Example 2

File Information

Size
509K
SHA-1
9c9b3f1904522841cf32fb227737ada02519195b
MD5
26737058d8bd7980cce3f22b290d244e
CRC-32
40e75032
File type
Windows executable
First seen
2013-05-13

download Try Sophos products for free
Download now