Troj/Zbot-FWF

Category: Viruses and Spyware Protection available since:01 Aug 2013 08:31:10 (GMT)
Type: Trojan Last Updated:01 Aug 2013 08:31:10 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-FWF include:

Example 1

File Information

Size
1.4M
SHA-1
2774aba7d33ae20848c480e8ffa92a97205cca04
MD5
5952aa57b02088a8d236fd20ae23af5d
CRC-32
d1049054
File type
Windows executable
First seen
2013-07-31

Example 2

File Information

Size
1.4M
SHA-1
44271f733e9ecf8d523bdae9edbf8954ab645ee7
MD5
c0702cd7f660ae80a6b7fe6a78381445
CRC-32
a45c0fcd
File type
Windows executable
First seen
2013-07-30

Example 3

File Information

Size
1.4M
SHA-1
47503f97aa10709dadec4ab40fd2c4b951f14b86
MD5
32a638045e48a4cbb7d113e705204d5d
CRC-32
8088f394
File type
Windows executable
First seen
2013-07-23

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Okkaers\gudauf.exe
    Size
    1.4M
    SHA-1
    85c5feb88642b26fb6db87ec532d6a74b508656b
    MD5
    a66a27d2f281aa40c7b9cbd7837e196c
    CRC-32
    5094c42d
    File type
    Windows executable
    First seen
    2013-08-01
  • c:\Documents and Settings\test user\Application Data\Pugo\otxeodd.tmp
    Size
    563
    SHA-1
    6455d3713ac77f3e4452a0a263e8480c71ab4739
    MD5
    f0ebb34acf04094edca647a3fba67bbf
    CRC-32
    252a7c9b
    File type
    Unspecified binary - probably data
    First seen
    2013-08-01
  • c:\Documents and Settings\test user\Application Data\Pugo\otxeodd.xuy
    Size
    477
    SHA-1
    9ca655a44ef23802fd359b54589f1a850fcfea37
    MD5
    1d2b886dabf2836c8e7f0554fd7422a9
    CRC-32
    6fc8499c
    File type
    Unspecified binary - probably data
    First seen
    2013-08-01
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {CD458634-80EE-BF72-07A6-DBD75B932981}
    "c:\Documents and Settings\test user\Application Data\Okkaers\gudauf.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Gywina
    Amgosauzb
    m|□@□□□j□□,□□□□ Q□□i□□□□p□□p□□□□□□□□□U□□y□□□□ □□@□□□□□□/□□+□@□□□□□0□□`□□0L□□□□P□□□□□□□□□□□□H□□□□□□□`□□□□□□Y□0q□P□□□g□□□□□□□0□□□□□□P□@□□`□□`□□`X□`□□□□□0k□@7□□=□□□□`□□□□□□□□□□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    e8 f3 4f 85 77 8e ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\okkaers\gudauf.exe
  • c:\windows\system32\cmd.exe
IP Connections
  • 198.15.127.170:80

download Try Sophos products for free
Download now