Troj/Zbot-FNM

Category: Viruses and Spyware Protection available since:15 Jun 2013 20:35:25 (GMT)
Type: Trojan Last Updated:15 Jun 2013 20:35:25 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-FNM include:

Example 1

File Information

Size
1.2M
SHA-1
35a6fb0ce659df1553a5d889735f7d8c136bc03c
MD5
056743e7293f47eb35e790d851ec7521
CRC-32
57e1a76f
File type
Windows executable
First seen
2013-06-15

Example 2

File Information

Size
1.2M
SHA-1
ea097ef2b2e532f93678a11b3501090205bab2ff
MD5
0c3d9b76cd503a57950e0a3808b71be4
CRC-32
d74b9e26
File type
Windows executable
First seen
2013-06-13

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Wocyi\yxmi.exe
    Size
    1.2M
    SHA-1
    35a6fb0ce659df1553a5d889735f7d8c136bc03c
    MD5
    056743e7293f47eb35e790d851ec7521
    CRC-32
    57e1a76f
    File type
    Windows executable
    First seen
    2013-06-15
  • c:\Documents and Settings\test user\Application Data\Yhsype\yzutl.ura
    Size
    477
    SHA-1
    1c948b87e7e905e65cfbb8a441a4ddc47ae12954
    MD5
    3af11e882ec12c02842550c7502f587d
    CRC-32
    8f6af688
    File type
    Unspecified binary - probably data
    First seen
    2013-06-15
  • c:\Documents and Settings\test user\Application Data\Yhsype\yzutl.tmp
    Size
    563
    SHA-1
    b6ba697324f7abaa714f1607c88b651135aba4bc
    MD5
    7891fabbf71584f8d45dc942a7ce235d
    CRC-32
    481b3881
    File type
    Unspecified binary - probably data
    First seen
    2013-06-15
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Zoexcu
    Uhipqep
    oX□P□□□□□0□□□□□P□□□□□□9□0Z□□□□0□□0□□□□□□"□□□□`□□0□□□?□□□□p7□□□□□8□□p□P□□0N□□V□ □□ □□p□□@□□□□□pY□□□□P□□ l□ v□□□□□□□□□□□=□□□□□n□□□□ 3□`z□ 3□□E□□□□P□□@g□□□□□□□0J□ p□`t□0*□□□□ v□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D589C9C7-DDDC-6D6A-5B45-9AC8F8BCC2A8}
    "c:\Documents and Settings\test user\Application Data\Wocyi\yxmi.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    2a 8e 5d 42 c8 69 ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\wocyi\yxmi.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://creditovehiculo.com/images/config.bin
DNS Requests
  • creditovehiculo.com

download Try Sophos products for free
Download now