Troj/Zbot-FKM

Category: Viruses and Spyware Protection available since:15 Jun 2013 02:09:35 (GMT)
Type: Trojan Last Updated:15 Jun 2013 02:09:35 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-FKM include:

Example 1

File Information

Size
866K
SHA-1
2b96adfd7ce39adec9473f9847f1e3f1717cdc9b
MD5
e8402d29aadfd5c02c470f0130db7ec3
CRC-32
d8a47c3f
File type
Windows executable
First seen
2013-06-14

Example 2

File Information

Size
866K
SHA-1
d9d0156ef44bb5dcf09f8add86c3f88895b6b5a0
MD5
767fd14adb9709a38cefaf8805bf5f2b
CRC-32
9840f3ca
File type
Windows executable
First seen
2013-06-14

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Mygiv\sudohum.tmp
    Size
    563
    SHA-1
    8d1e6c9124687487c90dc9ce694a3310f076650d
    MD5
    22e6353981e0f587fb1714c861a73c68
    CRC-32
    d9820e29
    File type
    Unspecified binary - probably data
    First seen
    2013-06-14
  • c:\Documents and Settings\test user\Application Data\Cienf\saykvo.exe
    Size
    866K
    SHA-1
    2b96adfd7ce39adec9473f9847f1e3f1717cdc9b
    MD5
    e8402d29aadfd5c02c470f0130db7ec3
    CRC-32
    d8a47c3f
    File type
    Windows executable
    First seen
    2013-06-14
  • c:\Documents and Settings\test user\Application Data\Mygiv\sudohum.ace
    Size
    477
    SHA-1
    3d4c11c91eecab0ec631a4054cf3d3f350b4884f
    MD5
    a400ffeb9f377f384cbd0e328dfa9301
    CRC-32
    59d143e7
    File type
    Unspecified binary - probably data
    First seen
    2013-06-14
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Ihub
    Tuzuik
    □□□□□□□□□□□0□□□0□□z□□□□p□□□□□□□□□□□□□□0q□□□□□□□□□□p□□□□□□□□□□□@□□P□□□□□0_□□3□p□□pf□p□□@□□@□□□2□□i□□□□□A□□]□@□□`(□□□□□□□@□□0e□`□□□a□□,□p□□□□□@s□`□□□&□□□□□C□`□□□}□P□□□□□0□□□,□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {9BB4AE73-CB78-BDB2-2F99-EC9EDD149165}
    "c:\Documents and Settings\test user\Application Data\Cienf\saykvo.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    c2 18 d1 4f 52 69 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
Processes Created
  • c:\Documents and Settings\test user\application data\cienf\saykvo.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • euedit.com

download Try Sophos products for free
Download now