Troj/Zbot-FGW

Category: Viruses and Spyware Protection available since:23 May 2013 15:26:33 (GMT)
Type: Trojan Last Updated:23 May 2013 15:26:33 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-FGW exhibits the following characteristics:

File Information

Size
297K
SHA-1
1d09dd539af6c3d2a4cffab18ad10f0dfd7cb298
MD5
005545c80666017a3d2276e3b85de772
CRC-32
51454f49
File type
application/x-ms-dos-executable
First seen
2013-05-23

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Afkifu\beitr.tmp
    Size
    563
    SHA-1
    17cbd5ac7ba12f7a7497a6a60f47a7736c1658c9
    MD5
    d1723c5f6027b3a6b204986286d22bc1
    CRC-32
    a7646809
    File type
    application/octet-stream
    First seen
    2013-05-23
  • c:\Documents and Settings\test user\Application Data\Kyuw\yraly.exe
    Size
    297K
    SHA-1
    a3ee25fccb02645ffd0f5ca236634cba9c6e156e
    MD5
    5af1f64b9eca55c24655988ed20bd74e
    CRC-32
    bd8c78ba
    File type
    application/x-ms-dos-executable
    First seen
    2013-05-23
  • c:\Documents and Settings\test user\Application Data\Afkifu\beitr.ane
    Size
    477
    SHA-1
    ac8eae7994a042ea9713f297f57c166bb77a9235
    MD5
    067f7a2c482709b1bc19912c5c49821f
    CRC-32
    2bd3c2c0
    File type
    application/octet-stream
    First seen
    2013-05-23
  • C:\debug.txt
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Oqoh
    Enoxviuv
    □□□@□□□L□p□□□□□0□□0□□□□□□k□□□□ □□□□□□S□□□□0□□□#□p□□□D□□□□□<□`p□□m□□□□□7□@N□□□□□□□□h□□□□□g□□□□□s□00□□□□@X□□□□P□□□□□□□□`□□□2□□E□□□□□□□`□□0 □pB□ □□ □□ □□p□□□u□p□□□5□p□□ □□□□□>□
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {3CB451B2-9742-14F0-232C-417828D64F78}
    "c:\Documents and Settings\test user\Application Data\Kyuw\yraly.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    40 cb de d6 b7 57 ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\kyuw\yraly.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://interborder-trading.com/file/zeus/config.bin
DNS Requests
  • interborder-trading.com

download Try Sophos products for free
Download now