Troj/Zbot-GBI

Category: Viruses and Spyware Protection available since:23 Aug 2013 15:18:19 (GMT)
Type: Trojan Last Updated:23 Aug 2013 15:18:19 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-GBI exhibits the following characteristics:

File Information

Size
202K
SHA-1
7944b23f95915509709d3c7060c8d0ccc8d986d1
MD5
89f2bc74bb009674208a38f3a1955a33
CRC-32
07c949eb
File type
Windows executable
First seen
2013-08-23

Other vendor detection

Avira
TR/Dropper.Gen

Runtime Analysis

Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {5BF39009-09A3-12F2-A766-A87C1740D609}
    "c:\Documents and Settings\test user\Application Data\Aqqoat\fielim.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Beses
    Lyalmoil
    □R□□□□`□□□□□□□□ □□@□□□□□□□□□□□□□□□Y□`n□□□□`#□P□□□□□□□□□□□□□□□□□□□□p□□□□□□□□□p□p□□p□□□"□□□□□T□□□□`□□□□□0□□□□□□T□□2□□□□0p□□□□□□□P□□□□□0*□□*□□□□p□□□n□PR□□C□@□□□□□□□□□□□ □□□□□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    b0 77 17 e0 e3 9f ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\aqqoat\fielim.exe
  • c:\windows\system32\cmd.exe
IP Connections
  • 174.36.209.148:80

download Try Sophos products for free
Download now