Troj/Zbot-GNQ

Category: Viruses and Spyware Protection available since:05 Oct 2013 16:57:23 (GMT)
Type: Trojan Last Updated:05 Oct 2013 16:57:23 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-GNQ include:

Example 1

File Information

Size
279K
SHA-1
134ddfa5a86ee063c6573614f6d126f9faac71b2
MD5
9112ca6d1af2a750f672c54e36886356
CRC-32
38a82582
File type
Windows executable
First seen
2013-10-05

Example 2

File Information

Size
279K
SHA-1
50bfe8d23f9679e79d90d456f72f140e47577162
MD5
2adddd737c73e996f261f5f3711086af
CRC-32
2098a75d
File type
Windows executable
First seen
2013-10-04

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Isozb\igbu.exe
    Size
    279K
    SHA-1
    134ddfa5a86ee063c6573614f6d126f9faac71b2
    MD5
    9112ca6d1af2a750f672c54e36886356
    CRC-32
    38a82582
    File type
    Windows executable
    First seen
    2013-10-05
  • c:\Documents and Settings\test user\Application Data\Ynciam\ofal.hio
    Size
    477
    SHA-1
    19861593873b6f90923170a6af245252407850cb
    MD5
    635223aeba0c0995f112043c3cd9aa6f
    CRC-32
    55b12579
    File type
    Unspecified binary - probably data
    First seen
    2013-10-05
  • c:\Documents and Settings\test user\Local Settings\Temp\file.exe
    Size
    279K
    SHA-1
    134ddfa5a86ee063c6573614f6d126f9faac71b2
    MD5
    9112ca6d1af2a750f672c54e36886356
    CRC-32
    38a82582
    File type
    Windows executable
    First seen
    2013-10-05
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {B5900658-B683-C128-79C7-9C7C8F41D583}
    "c:\Documents and Settings\test user\Application Data\Isozb\igbu.exe"
  • HKCU\Software\Microsoft\Niycys
    Ukopasxeo
    □e□□□□□□□0□□□□□0j□ □□□□□□~□`□□□□□□e□@e□□f□@□□@&□ □□0□□ □□□□□□□□□□□□□□□□□@□□□□□ C□□□□□j□□B□□g□P|□□□□p8□PA□ □□□□□□Q□□_□□s□pW□□<□p□□P□□□□□`Y□□Q□□□□p□□□□□□□□□□□□□□p□□p□□□□□□□□□p□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    72 16 73 8b 7d c1 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\isozb\igbu.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://newcollins.co.uk/collins/cfg.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • newcollins.co.uk
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now