Troj/Zbot-GDG

Category: Viruses and Spyware Protection available since:02 Sep 2013 16:34:11 (GMT)
Type: Trojan Last Updated:02 Sep 2013 16:34:11 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-GDG include:

Example 1

File Information

Size
409K
SHA-1
4876650e238c236ea37763c6f7fe32d11f8ba635
MD5
0ca17f70b88787560bb5483724ce1997
CRC-32
7e266313
File type
Windows executable
First seen
2013-09-02

Example 2

File Information

Size
409K
SHA-1
b784e64fef88d1f88e9eae5f5fb57ebcddb0e0b4
MD5
c23e738fc239a51fa463f69fa8bf1268
CRC-32
c446fe15
File type
Windows executable
First seen
2013-09-02

Other vendor detection

Avira
TR/Dropper.Gen

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Baeky\nylo.zey
    Size
    477
    SHA-1
    32596429ea26fd642b584a4db38559f155a69477
    MD5
    bf3ad3d92be06950a4464f35dd441693
    CRC-32
    9287b315
    File type
    Unspecified binary - probably data
    First seen
    2013-09-02
  • c:\Documents and Settings\test user\Application Data\Ilog\udav.exe
    Size
    409K
    SHA-1
    4876650e238c236ea37763c6f7fe32d11f8ba635
    MD5
    0ca17f70b88787560bb5483724ce1997
    CRC-32
    7e266313
    File type
    Windows executable
    First seen
    2013-09-02
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCR\CLSID\{405CD8B9-3E65-4BB0-875D-A3B8247D6EE5}\InprocHandler32
    (Default)
    ole32.dll
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Alipir
    Irnyulroi
    □□□0□□@z□@□□□\□□6□`□□□□□@□□□z□`□□PM□p□□P6□□□□□o□□□□□□□□□□0□□□□□□w□pU□□b□□□□□□□`□□□□□P□□□□□□□□□[□`□□□□□□.□ □□p□□□□□p□□`□□□□□□□□□□□□□□@□□□□□□□□P□□□□□p]□□@□0□□0□□□#□p□□`□□0□□□□□□□□p□□□n□0□□`□□□y□ 5□□#□@□□□p□□□□P□□□7□p□□□□□□3□p2□`□□@□□□□□0□□□□□□{□p□□PJ□□(□□□□□□□□}□□□□□(□□n□□□□□□□0□□□□□p□□□□□`H□`□□0□□□□□□□□`□□□□□ l□□□□@□□□L□0□□0□□□□□p□□ `□@□□□□□`□□ □□`}□□□□@□□□□□d□□□□□5□□□□□□□□Z□@□□□x□□□□p'□p\□□0□PV□□□□□□□□□□□3□□□□□□□□f□@□□ _□□□□`□□□□□□*□□^□0j□□□□□-□□t□`□□p□□□□□□□□ G□□□□`a□□S□p~□□@□□□□@□□□□□P□□ h□□G□@□□□x□0P□□□□0Y□□'□@□□p□□PC□ V□□□□□□□0k□□□□@□□ □□P□□p4□@□□□□□□J□□□□□>□□□□0□□p□□@:□@X□□[□□□□@A□□□□□b□□□□□L□0□□p□□0□□□5□0O□□t□□Z□`M□□□□□N□P□□□□□□□□□?□□□□□□□□□□□□□`□□□□□□□□□G□ □□□W□□□□`□□@□□□□□P□□□Z□□□□□}□□□□□□□0□□□g□□a□□A□`□□□□□p□□□,□□□□0□□□□□@<□@w□□□□ □□Z□0□□ 4□□□□□□□ [... 41719 intervening characters ...] □□□□□□v□□□□□□□0□□□□□□□□□6□0□□□X□□□□□□□□□□□:□□□□□K□ □□□%□□□□□□□□□□P□□□□□ □□□□□□□□□Y□p8□ f□□□□□v□□□□@□□p□□`Y□□v□□□□pc□□□□□□□P`□□□□0□□□d□□□□□□□□□□□7□@□□□□□`v□PQ□0□□@□□□;□□!□□□□□□□□□□@□□□□□0□□□*□@
  • HKCR\CLSID\{405CD8B9-3E65-4BB0-875D-A3B8247D6EE5}\ProgID
    (Default)
    S7.Application
  • HKCR\S7.Application
    (Default)
    S7.Application
  • HKCR\S7.Application\CLSID
    (Default)
    {405CD8B9-3E65-4BB0-875D-A3B8247D6EE5}
  • HKCR\CLSID\{405CD8B9-3E65-4BB0-875D-A3B8247D6EE5}
    (Default)
    S7.Application
  • HKCR\CLSID\{405CD8B9-3E65-4BB0-875D-A3B8247D6EE5}\LocalServer32
    (Default)
    C:\DOCUME~1\support\APPLIC~1\Ilog\udav.exe
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {DEB5F4A1-4BF0-9C17-7B46-C95CA45E9D17}
    "c:\Documents and Settings\test user\Application Data\Ilog\udav.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    88 14 ea 8c dd a7 ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\ilog\udav.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
HTTP Requests
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
  • http://www.kingsleyglobalgroup.com/ig/cfg.bin
DNS Requests
  • www.google.bg
  • www.google.com
  • www.kingsleyglobalgroup.com

download Try Sophos products for free
Download now