Troj/Zbot-FKB

Category: Viruses and Spyware Protection available since:13 Jun 2013 06:32:20 (GMT)
Type: Trojan Last Updated:14 Jun 2013 23:32:27 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-FKB include:

Example 1

File Information

Size
294K
SHA-1
0049331e5f517e81bb24eb59c5e4b71751aa7594
MD5
e259ca7438bc7292795977279b5b482c
CRC-32
dc752e6e
File type
Windows executable
First seen
2013-06-12

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Inojl\icbavo.exe
    Size
    294K
    SHA-1
    63f32d3d2a8e9ba97f666625d03ba37a2d761f1d
    MD5
    630a0412102fccbc82d8057652af9685
    CRC-32
    7182710d
    File type
    Windows executable
    First seen
    2013-06-12
  • c:\Documents and Settings\test user\Local Settings\Application Data\nanyf.evd
    Size
    477
    SHA-1
    3ac1e975299b5e7f48f11784b9c22dad76479119
    MD5
    2528db0b546a58af9872af4627ec4e1b
    CRC-32
    6a8ee019
    File type
    Unspecified binary - probably data
    First seen
    2013-06-12
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Icbavo
    "c:\Documents and Settings\test user\Application Data\Inojl\icbavo.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Uqatnizyiwe
    dj9bg3
    □S□□□□□□□□/□`□□□n□
Processes Created
  • c:\Documents and Settings\test user\application data\inojl\icbavo.exe
IP Connections
  • 123.238.64.141:25399
  • 211.209.241.213:16882
  • 212.205.236.215:10079
  • 31.19.150.109:13464
  • 66.63.204.26:29482
  • 78.100.36.98:20877
  • 79.131.33.157:29658
  • 89.122.155.200:16926
  • 92.39.36.120:12243

Example 2

File Information

Size
295K
SHA-1
006d4aa85c7c2671dfa2537033e73102aae4c7a3
MD5
c6fd32569fa15eb18603a454bc0ee432
CRC-32
0c856a2c
File type
Windows executable
First seen
2013-06-13

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\afnyc.yqf
    Size
    477
    SHA-1
    6e1a54ef50ea56ef00db11acd394f9a8417069bf
    MD5
    40b889d14845811b337507d9cdb2407b
    CRC-32
    2d8b75e9
    File type
    Unspecified binary - probably data
    First seen
    2013-06-13
  • c:\Documents and Settings\test user\Application Data\Voysn\ohynm.exe
    Size
    295K
    SHA-1
    49390b1ff111e28f98287b1fc3e746cb3affef50
    MD5
    447cc636eb1cebb3431cfe79bc8b6c26
    CRC-32
    f1368725
    File type
    Windows executable
    First seen
    2013-06-13
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Ohynm
    "c:\Documents and Settings\test user\Application Data\Voysn\ohynm.exe"
  • HKCU\Software\Microsoft\Ykbufeubjac
    22808hfi
    n6□P0□`o□`j□□c□`v□0q□ G□
  • HKCU\Identities
    Identity Login
    0x00098053
Processes Created
  • c:\Documents and Settings\test user\application data\voysn\ohynm.exe
IP Connections
  • 108.74.172.39:18939
  • 122.178.149.88:10064
  • 182.65.146.52:26524
  • 212.205.236.215:10079
  • 216.14.146.36:28073
  • 31.19.150.109:13464
  • 66.63.204.26:29482
  • 78.100.36.98:20877
  • 79.131.33.157:29658

Example 3

File Information

Size
64K
SHA-1
00f659d39bdc13577112f4970b76e925065ad316
MD5
58053aeced2c58f5fe2474142014c3bb
CRC-32
42b259d7
File type
Windows executable
First seen
2013-06-13

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\skype.dat
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    explorer.exe,c:\Documents and Settings\test user\Application Data\skype.dat
Processes Created
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://expkw.ru/rp-faau-xfjw-bheyviacrasi-ykmyra-pqdf-riorlisdejfzye-dmyqphvpkbdmopbafyrp-jubq-lxfysusivqjugk.php
  • http://hubbg.com/piqj-teit-qukq-cbkyfmprrtjk_oavl-bcclyvfmnmnb_crms-cbyhkkjlxy-teri_xpju_zjabonownqxcbtxq-ybnn_vk.php
DNS Requests
  • expkw.ru
  • hubbg.com

download Try Sophos products for free
Download now