Troj/Zbot-GFZ

Category: Viruses and Spyware Protection available since:10 Sep 2013 03:32:10 (GMT)
Type: Trojan Last Updated:10 Sep 2013 03:32:10 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-GFZ exhibits the following characteristics:

File Information

Size
346K
SHA-1
cbeb3d58d7f91f03948911695ee251bd5b7ecabf
MD5
c1ed290a845125e034c99dc4f92b4f42
CRC-32
8d1e5f05
File type
Windows executable
First seen
2013-09-09

Runtime Analysis

Dropped Files
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\system.pif
    Size
    346K
    SHA-1
    585660b0f182a1b71f99cb2b4fbd8bfd4372f391
    MD5
    5e1a53ac59328e09b8af4ecc71a36d0d
    CRC-32
    5eb7ddb0
    File type
    Windows executable
    First seen
    2013-09-09
  • c:\Documents and Settings\test user\Application Data\InstallDir\help.exe
    Size
    346K
    SHA-1
    585660b0f182a1b71f99cb2b4fbd8bfd4372f391
    MD5
    5e1a53ac59328e09b8af4ecc71a36d0d
    CRC-32
    5eb7ddb0
    File type
    Windows executable
    First seen
    2013-09-09
  • c:\Documents and Settings\test user\Application Data\Leyzg\suomx.ell
    Size
    477
    SHA-1
    babc8bfa8fd0e33e3db4fd4514fe5397b0b775dc
    MD5
    217e2229ebc47d93cd461cb4b9fba7d9
    CRC-32
    2a0cef6f
    File type
    Unspecified binary - probably data
    First seen
    2013-09-09
  • c:\Documents and Settings\test user\Application Data\Ulgur\icef.exe
    Size
    346K
    SHA-1
    585660b0f182a1b71f99cb2b4fbd8bfd4372f391
    MD5
    5e1a53ac59328e09b8af4ecc71a36d0d
    CRC-32
    5eb7ddb0
    File type
    Windows executable
    First seen
    2013-09-09
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\system.pif
    Size
    346K
    SHA-1
    585660b0f182a1b71f99cb2b4fbd8bfd4372f391
    MD5
    5e1a53ac59328e09b8af4ecc71a36d0d
    CRC-32
    5eb7ddb0
    File type
    Windows executable
    First seen
    2013-09-09
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D589C9C7-DDDC-6D6A-5B45-9AC8F8BCC2A8}
    "c:\Documents and Settings\test user\Application Data\Ulgur\icef.exe"
  • HKCU\Software\Microsoft\Cocyyq
    Ihazvi
    $□□□□□□`□□□□□□□□□□□□□□/□ □□□□□□g□□}□□E□ "□□□□□□□□□□□□□@8□□2□pF□ □□P□□□□□□□□□U□□□□□F□□□□□r□□^□□/□□.□□"□@C□□□□ w□□□□@□□`:□□ □0□□P□□□^□□□□P□□□o□ □□0□□□□□□z□□□□□□□0i□pw□``□0□□□□□
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    help
    C:□□D□□c□Pm□Pn□@s□□a□□d□□S□Pt□@i□□g□0\□0u□□p□□r□@\□□p□□l□□c□□t□□o□□ □@a□@a□□I□□s□@a□□l□@i□ \□□e□□p□□e□□e□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□?□□□□@□□@□□@□□□□□□□□□?□□□□@□□□□□□□□□□□□□□□□□□?□□□□□?□□□□0o□`t□pa□ e□□M□□c□ o□0o□`t□□W□□n□@o□ps□□C□Pr□ e□□t□`e□ s□□o□□\□Px□□l□□r□Pr□□S□□e□□l□□F□□l□@e□ s□□□□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□□□□?□□?□□?□□?□□?□□?□□?□□?□□?□□□□□□□□□□0o□`t□pa□ e□□M□□c□ o□0o□`t□□W□□n□@o□ps□□C□Pr□ e□□t□`e□ s□□o□□\□ u□□□□□?□□?□□?□□?□□?□□?□□□□□□□□?□□?□□?□□?□□□□□?□□?□□?□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    24 99 63 41 b6 ad ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\ulgur\icef.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
HTTP Requests
  • http://prkitchensinc.com/.tmp/cfg.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • prkitchensinc.com
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now