Troj/Zbot-GTM

Category: Viruses and Spyware Protection available since:29 Oct 2013 18:01:38 (GMT)
Type: Trojan Last Updated:29 Oct 2013 18:01:38 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-GTM include:

Example 1

File Information

Size
355K
SHA-1
1ddd5bb78838fa5aebdf976a62510a42fdd6e7f9
MD5
096f0600a9f15f97213ebae75c2c4dc3
CRC-32
fcea4f98
File type
Windows executable
First seen
2013-10-29

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Bope\ehaza.exe
    Size
    355K
    SHA-1
    9eb9cd637e1a5982d033029157b158094e2d2faf
    MD5
    d6240a3c84f5757bed1cf140e40437d9
    CRC-32
    3b7be73d
    File type
    Windows executable
    First seen
    2013-10-29
  • c:\Documents and Settings\test user\Application Data\Raytlo\qabeu.ilp
    Size
    3.8K
    SHA-1
    2e9e016c4b8347d70ca98e79e999b14af54f87ec
    MD5
    cc90210caab1b44ae63a51ab766f8cda
    CRC-32
    a9521641
    File type
    Unspecified binary - probably data
    First seen
    2013-10-29
  • c:\Documents and Settings\test user\Application Data\Raytlo\qabeu.tmp
    Size
    661
    SHA-1
    59e0988f3fad8d9e91e86201e209db9185f97335
    MD5
    4f7f44a7285493738147cc3c8a9fe65b
    CRC-32
    dc6cd54a
    File type
    Unspecified binary - probably data
    First seen
    2013-10-29
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Lewise
    "c:\Documents and Settings\test user\Application Data\Bope\ehaza.exe"
  • HKCU\Software\Microsoft\Teamf
    Ybvuamvae
    y□□□□□`□□P□P□□□□□□□□□□□□□□□□□`□□P□P□□□□□□□□□□□□□□□□□`□□P□P□□□□□□□□□□□@H□□□□□□□□a□□□□□□□PD□`P□□□□□□□`□□P□P□□□□□□□□□□□□□□□□□`□□P□P□□□□□□□□□□□□□□□□□`□□P□P□□□□□□□□□□□□□□□U□□u□P□□□R□□□□P□□□+□□□□□□□`□□P□P□□□□□□□□□□□□□□□□□`□□P□P□□□□□□□□□□□
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    26 a8 ba da 74 d4 ce 01
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\bope\ehaza.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • new.samplerproduct.org

Example 2

File Information

Size
355K
SHA-1
9eb9cd637e1a5982d033029157b158094e2d2faf
MD5
d6240a3c84f5757bed1cf140e40437d9
CRC-32
3b7be73d
File type
Windows executable
First seen
2013-10-29

download Try Sophos products for free
Download now