Troj/Zbot-FMK

Category: Viruses and Spyware Protection available since:12 Jun 2013 18:32:04 (GMT)
Type: Trojan Last Updated:12 Jun 2013 18:32:04 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-FMK include:

Example 1

File Information

Size
460K
SHA-1
40be779f61310e5233dec70fed34181a4df3b42f
MD5
774fee4964ea7753bce584a9dd42612a
CRC-32
9ee492e5
File type
Windows executable
First seen
2013-06-12

Example 2

File Information

Size
460K
SHA-1
99e78b801e155fa3c70474d18097432424dabd58
MD5
9829c5b58893eb56ba5028170bd15685
CRC-32
cd329399
File type
Windows executable
First seen
2013-06-12

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Advu\koox.exe
    Size
    460K
    SHA-1
    40be779f61310e5233dec70fed34181a4df3b42f
    MD5
    774fee4964ea7753bce584a9dd42612a
    CRC-32
    9ee492e5
    File type
    Windows executable
    First seen
    2013-06-12
  • c:\Documents and Settings\test user\Application Data\Pikos\ymce.ike
    Size
    477
    SHA-1
    6303bb1f896550cb6e41e2a2c079648ca592375f
    MD5
    82fae8d22e4dce04994b62bca207a641
    CRC-32
    2408632b
    File type
    Unspecified binary - probably data
    First seen
    2013-06-12
  • c:\Documents and Settings\test user\Application Data\Pikos\ymce.tmp
    Size
    563
    SHA-1
    59be346ca209e14c05ee1fc329b18571cead8371
    MD5
    9cf2259a17351f2d78a1965aedf9ce97
    CRC-32
    af3eccbd
    File type
    Unspecified binary - probably data
    First seen
    2013-06-12
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {DEB5F4A1-4BF0-9C17-7B46-C95CA45E9D17}
    "c:\Documents and Settings\test user\Application Data\Advu\koox.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Ysald
    Inke
    t3□PM□@□□□□□`□□□□□□□□ _□□□□□□□□□□□2□□□□□/□ □□P□□□□□□□□@□□`e□p8□□□□□□□□□□`□□□□□p\□0□□□K□□a□□?□@□□PA□0□□□□□`d□□□□□□□□L□□g□□□□□c□pb□`□□P□□□□□P9□□E□□0□□□□ □□□□□□□□□G□@C□ 5□ □□□x□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    e8 f2 48 9b 72 67 ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\advu\koox.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://www.icecrakesdis.net/attfl/cfg.bin
DNS Requests
  • www.icecrakesdis.net

download Try Sophos products for free
Download now