Troj/Zbot-GJF

Category: Viruses and Spyware Protection available since:23 Sep 2013 14:23:58 (GMT)
Type: Trojan Last Updated:23 Sep 2013 14:23:58 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-GJF exhibits the following characteristics:

File Information

Size
850K
SHA-1
6b5a42a74b6ba20ac97acb98767cb6d051e54e9d
MD5
ef8b8cd3c7221bea708061f46e3cf78d
CRC-32
8f7dbbf5
File type
Windows executable
First seen
2013-09-23

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Miu\gepyqal.ave
    Size
    477
    SHA-1
    209200a4427f8d39f1b9f9192f2e7cee832eaa7a
    MD5
    e6dfdf0dd9c7ff1923c6c2cfc25ccd47
    CRC-32
    d13f4207
    File type
    Unspecified binary - probably data
    First seen
    2013-09-23
  • c:\Documents and Settings\test user\Application Data\Zizuyfy\otdoovk.exe
    Size
    850K
    SHA-1
    316e30df69747c663d1c584fa81ae47457753e8c
    MD5
    58303f44c2899211ca1b71d5b42e8ddb
    CRC-32
    91fe3327
    File type
    Windows executable
    First seen
    2013-09-23
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {7EDCD9A2-D1AF-5370-9F95-A4AA2FF3F645}
    "c:\Documents and Settings\test user\Application Data\Zizuyfy\otdoovk.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Quca
    Ibgi
    92 bc d3 86 f2 e0 68 0c 73 c7 3c f1 61 2a 72 94 3d a3 75 b7 77 c0 a2 51 38 da 9e cc 94 ef fb 1c 59 ba a4 60 26 cc 72 05 99 c2 8f 69 72 2c 9d 40 5b 80 f3 d9 86 84 f9 78 82 d8 65 2f 31 9c 68 b8 8a cc c9 eb 23 76 6b c3 b9 bb c5 25 9e ac ff 24 fb a2 a6 a4 af ba 53 02 a9 d7 2f ef 6d 5a 95 ca df 30 45 d2 5b 1a a4 d4 1a 45 44 7e 80 76 a2 0c d9 3d 81 66 e6 02 28 e8 fa 66 52 f4 71 24 c7 d4 85 92 00 ee 01 89 29 3b f5 ca ad 7c 82 b8 78 33 47 9e 12 15 8a 30 73 6f 19 4d c3 0f 44 32 33 0c e7 eb 7d 13 53 01 48 25 51 21 ad 84 81 32 f6 3e 02 5b c4 0e 5d 04 db 35 de eb 8c 20 42 9e d6 eb ad f0 e5 50 15 d2 96 64 cd be 0b 2e 53 73 33 64 ef 14 1d 11 77 ba eb 74 7b 4c c9 98 30 7f ba d0 d0 fe 49 ae ec 39 87 4b 45 87 96 22 55 ce 8e 23 7f 61 ba 5b 60 cf 7d 62 74 57 4c 14 d9 ea 07 d0 [... 102285 intervening characters ...] 5d 62 e4 50 f8 cb 93 9d 7d 0b 6e ed 59 e8 24 81 9c c2 ca f1 0a ae 4e 33 7b 0f f7 92 8e 27 80 5f 6c 61 de f5 f9 83 ce b3 5d 5f bd f2 69 02 3b 49 2d e0 e7 92 e1 ec e7 70 27 3b 2a 17 38 1f e4 71
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    36 f7 9d 5a 47 b8 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\zizuyfy\otdoovk.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • itoys.co.nz

download Try Sophos products for free
Download now