Troj/Zbot-FHF

Category: Viruses and Spyware Protection available since:25 May 2013 12:32:21 (GMT)
Type: Trojan Last Updated:25 May 2013 12:32:21 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-FHF include:

Example 1

File Information

Size
316K
SHA-1
150b16af9d8c6b0b253eea974cb969c575eee77e
MD5
7c7907a9f5ba425c44e5c67822afab0d
CRC-32
1eb403db
File type
Windows executable
First seen
2013-05-25

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Acsyu\uvmod.tmp
    Size
    563
    SHA-1
    c828d941c00cca87723170824747dcf2f322a8cd
    MD5
    aaa657ecc2b883bbb6fe0371f1c585fa
    CRC-32
    b86ec20d
    File type
    Unspecified binary - probably data
    First seen
    2013-05-25
  • c:\Documents and Settings\test user\Application Data\Acsyu\uvmod.hoa
    Size
    477
    SHA-1
    11dbeb70f49de7fce3669e6931b4eb6d6092e0d1
    MD5
    ddd84b8c2f275ec481c8cb735d7270b0
    CRC-32
    0c54f404
    File type
    Unspecified binary - probably data
    First seen
    2013-05-25
  • c:\Documents and Settings\test user\Application Data\Soyzcy\myaxu.exe
    Size
    316K
    SHA-1
    dbe4a7deee732b1de72f2f0a085fd0a84cb447c4
    MD5
    eb30d4887f8e5e278f49fc392e4260e7
    CRC-32
    45baf89d
    File type
    Windows executable
    First seen
    2013-05-25
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {9225C098-75C7-6D95-ED84-343899145B9F}
    "c:\Documents and Settings\test user\Application Data\Soyzcy\myaxu.exe"
  • HKCU\Software\Microsoft\Soubso
    Bavaomq
    j□□p□□□□□0"□@□□□□□0□□0□□□□□□□□□□□P□□`□□□/□`□□□□□□c□@□□□e□□□□□□□□□□□□□□□□@m□□□□□F□□}□□□□□*□0□□p□□@B□□□□□□□0~□p□□`Z□□□□□%□□9□□6□`□□P□□`□□□z□□□□ □□`□□□C□ l□□P□`□□□Y□0□□□□□□□□P□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    44 d1 d5 e1 2c 59 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\soyzcy\myaxu.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://hometasefood.com/trek/config.bin
DNS Requests
  • hometasefood.com

Example 2

File Information

Size
316K
SHA-1
dbe4a7deee732b1de72f2f0a085fd0a84cb447c4
MD5
eb30d4887f8e5e278f49fc392e4260e7
CRC-32
45baf89d
File type
Windows executable
First seen
2013-05-25

download Try Sophos products for free
Download now