Troj/Zbot-FNX

Category: Viruses and Spyware Protection available since:17 Jun 2013 20:15:26 (GMT)
Type: Trojan Last Updated:17 Jun 2013 20:15:26 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-FNX exhibits the following characteristics:

File Information

Size
685K
SHA-1
68735f56dfcff810dffbb18cbadd93bcfebabba2
MD5
566ced83c1185aa286d1521e66141c5c
CRC-32
b036a41a
File type
Windows executable
First seen
2013-06-17

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Ugype\ibdu.tmp
    Size
    563
    SHA-1
    eddbd3043d840dadc3d8cfbcb858e85a0a25d445
    MD5
    5fc6e94a66cc488924427db7177212ee
    CRC-32
    2dd3d75d
    File type
    Unspecified binary - probably data
    First seen
    2013-06-17
  • c:\Documents and Settings\test user\Application Data\Ugype\ibdu.ykt
    Size
    477
    SHA-1
    050ceedb64d31c3e6b31c5c7f0021056a1264d62
    MD5
    0920df55313568fbc0a1be5633414734
    CRC-32
    2f7d4a55
    File type
    Unspecified binary - probably data
    First seen
    2013-06-17
  • c:\Documents and Settings\test user\Application Data\Look\raaxe.exe
    Size
    685K
    SHA-1
    8ff13d294f01d4159d490b6383cd9c2b5be8ff91
    MD5
    5e8f836e8c9d6ea70a6a0a069a18e679
    CRC-32
    1aac4f6c
    File type
    Windows executable
    First seen
    2013-06-17
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Yqorp
    Elix
    □□□@□□0□□`□□p□□□n□□?□@□□□□□□□□□e□□□□□□□□□□□d□`□□□y□□□□□j□p□□□□□ □□ 5□p:□□.□p□□□w□PH□□□□□:□□M□□+□ r□□<□□□□□6□□□□□□□p□□□%□□□□□□□`□□□□□□□□`O□□A□0□□□3□ j□pY□□□□□□□□□□P□□□□□ 9□0[□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {DC17A82D-1513-0467-6949-85D5FF9BF2F5}
    "c:\Documents and Settings\test user\Application Data\Look\raaxe.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    cc 4d d3 57 7f 6b ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
Processes Created
  • c:\Documents and Settings\test user\application data\look\raaxe.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://chevan.co.ke/alfnd/ll/cfg.bin
DNS Requests
  • chevan.co.ke

download Try Sophos products for free
Download now