Troj/Zbot-GHV

Category: Viruses and Spyware Protection available since:26 Sep 2013 07:07:43 (GMT)
Type: Trojan Last Updated:26 Sep 2013 07:07:43 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-GHV include:

Example 1

File Information

Size
246K
SHA-1
75ec17e7cef4ef59bc3c0f234231b52da6a309c8
MD5
c1b478edcf8229fd3fcaba3222df6dff
CRC-32
48c92ba1
File type
Windows executable
First seen
2013-09-26

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Anals\niyha.exe
    Size
    246K
    SHA-1
    f085b50fb6889d8b2d93205cd23725dc96ea2ece
    MD5
    f2033fb8132337975c0470f3c08b8895
    CRC-32
    75daa210
    File type
    Windows executable
    First seen
    2013-09-26
  • c:\Documents and Settings\test user\Application Data\Egow\daumw.hai
    Size
    477
    SHA-1
    03e64abd9bdc30814b14bc481e5dc7a29d87bbf5
    MD5
    fb77697ebb2902bcdceba73c2f782569
    CRC-32
    dd0536e0
    File type
    Unspecified binary - probably data
    First seen
    2013-09-26
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Xotu
    Kesaav
    □□□@s□□□□□,□05□@□□□□□□□□□□□@□□P□□□x□□#□□□□□□□□_□□□□□□□□□□□□□P□□p□□P□□0□□P`□p%□□□□□x□□.□p□□□n□□□□P□□`□□□c□□□□□□□□□□□`□□□□`□□□□□□9□p□□□□□ □□@□□□!□□q□□8□□□□@□□□□□p□□□□□□□□□□□ □□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {F7BC645D-BB67-D698-27E3-E37DD21C715B}
    "c:\Documents and Settings\test user\Application Data\Anals\niyha.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    e8 e9 b5 c7 61 ba ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\anals\niyha.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
HTTP Requests
  • http://gldeawoo.com/kenn/cfg2.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • gldeawoo.com
  • www.google.bg
  • www.google.com

Example 2

File Information

Size
246K
SHA-1
f085b50fb6889d8b2d93205cd23725dc96ea2ece
MD5
f2033fb8132337975c0470f3c08b8895
CRC-32
75daa210
File type
Windows executable
First seen
2013-09-26

download Try Sophos products for free
Download now