Troj/Zbot-FNQ

Category: Viruses and Spyware Protection available since:17 Jun 2013 00:35:22 (GMT)
Type: Trojan Last Updated:16 Aug 2013 07:05:41 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-FNQ include:

Example 1

File Information

Size
1.5M
SHA-1
03b9a96defd08952266ca28d9de49fcd96b0bdfb
MD5
b955b89dd47384743c3819d640ec1f75
CRC-32
8b47f03e
File type
Windows executable
First seen
2013-06-18

Example 2

File Information

Size
446K
SHA-1
07bdd8b011510b1de9e26be0650d97cb3bb1079a
MD5
741d3c388386f49492b294712a2cdb21
CRC-32
446e5bb3
File type
Windows executable
First seen
2013-06-28

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Owzua\yvneu.qoi
  • c:\Documents and Settings\test user\Local Settings\Temp\file.exe
    Size
    446K
    SHA-1
    b4cc92e90d911268b75c13deb1e93527fdc34912
    MD5
    6eb80b8ae81f24220d1c06e70823af89
    CRC-32
    70fc2f9e
    File type
    Windows executable
    First seen
    2013-06-28
  • c:\Documents and Settings\test user\Application Data\Iquzo\irans.exe
    Size
    446K
    SHA-1
    b4cc92e90d911268b75c13deb1e93527fdc34912
    MD5
    6eb80b8ae81f24220d1c06e70823af89
    CRC-32
    70fc2f9e
    File type
    Windows executable
    First seen
    2013-06-28
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Ufihl
    Kouvun
    M□□@□□□□□□□□□□□`□□0n□□□□□□□□□□□□□□0□□□□□□□□$□p□□0□□□□□□□□ □□p□□□□□08□p,□p'□□s□`W□P$□`□□P□□□□□PX□□K□□Z□@x□□:□□□□P□□□□□@□□p□□ □□`□□□□□`0□□□□ p□@J□□□□□j□□□□□□□□□□0□□□□□□□□□□□□}□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {B5900658-B683-C128-79C7-9C7C8F41D583}
    "c:\Documents and Settings\test user\Application Data\Iquzo\irans.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    90 78 2e e9 22 74 ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\iquzo\irans.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://lostbandgreed.co.uk/mon/cfg.bin
DNS Requests
  • lostbandgreed.co.uk

Example 3

File Information

Size
1.3M
SHA-1
07da988ff43e833186c2cd1f1f1905d0c242b30e
MD5
4f05b7205df13c76c4d14231ccca0d39
CRC-32
7634341f
File type
Windows executable
First seen
2011-06-27

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\file.exe

download Try Sophos products for free
Download now