Troj/Zbot-GKG

Category: Viruses and Spyware Protection available since:26 Sep 2013 07:07:43 (GMT)
Type: Trojan Last Updated:23 Jan 2014 19:09:29 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-GKG include:

Example 1

File Information

Size
170K
SHA-1
5b3fe4e5dc424b5576cd566dc1d34cc88dabce6f
MD5
ed61278aff9622344316f83760ea54bf
CRC-32
8e38f338
File type
Windows executable
First seen
2013-09-26

Example 2

File Information

Size
170K
SHA-1
f2adee5168b50f06477c23033ecefd2f898b5466
MD5
72bfad76265d259079b7a1b07e0332a8
CRC-32
471626d3
File type
Windows executable
First seen
2013-09-26

Other vendor detection

Avira
TR/Dropper.Gen

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Pooqp\tupaly.rol
  • c:\Documents and Settings\test user\Application Data\Pooqp\tupaly.tmp
  • c:\Documents and Settings\test user\Application Data\Yqgayz\reryemt.exe
    Size
    170K
    SHA-1
    5b3fe4e5dc424b5576cd566dc1d34cc88dabce6f
    MD5
    ed61278aff9622344316f83760ea54bf
    CRC-32
    8e38f338
    File type
    Windows executable
    First seen
    2013-09-26
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Otfuuw
    Ufwu
    *e□0 □□□□`□□□N□P□□pn□□j□□□□0□□□□□□$□□T□□o□□□□□□□□□□□□□□□□ 3□0□□□□□P□□□□□□□□P□□@a□`A□0!□p□□□□□□□□□t□□E□ □□`□□□□□□□□□□□□□□□□□p□□□R□□□□□□□□Q□@#□`□□□□□□*□ □□ b□□□□□□□□Y□p□□0□□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {7EDCD9A2-D1AF-5370-9F95-A4AA2FF3F645}
    "c:\Documents and Settings\test user\Application Data\Yqgayz\reryemt.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    26 69 a2 e3 6e ba ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\yqgayz\reryemt.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • tusgid.com

Example 3

File Information

Size
162K
SHA-1
8c2fd74be9b799e1389409fa71272c0eadd66db8
MD5
1398f3e0d6ed1c16e37bb0f286bcec47
CRC-32
c5f019f7
File type
PK ZIP archive
First seen
2013-09-26

Other vendor detection

Avira
TR/Dropper.Gen

download Try Sophos products for free
Download now