Troj/Zbot-GYN

Category: Viruses and Spyware Protection available since:20 Nov 2013 23:33:51 (GMT)
Type: Trojan Last Updated:20 Nov 2013 23:33:51 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-GYN include:

Example 1

File Information

Size
441K
SHA-1
71055bd63ef11951af68b4893b9bb4ee0b0ffb56
MD5
3e25192dcd89ae00574a7775f6869e2e
CRC-32
33966ddc
File type
Windows executable
First seen
2013-11-20

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Upheub\aribu.exe
    Size
    441K
    SHA-1
    9e55d20bce444b1a8e8494e564cc7ea785088287
    MD5
    5c0b07c6521926e65c6b94e110c90e07
    CRC-32
    92be1147
    File type
    Windows executable
    First seen
    2013-11-20
  • c:\Documents and Settings\test user\Application Data\Xoucp\ricek.kii
    Size
    477
    SHA-1
    2a6761a3e5eba58f07fde0af63f1c89ccee0cc11
    MD5
    de8edaf46904fb247b73d7c54cf443ed
    CRC-32
    db4109ae
    File type
    Unspecified binary - probably data
    First seen
    2013-11-20
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {DEB5F4A1-4BF0-9C17-7B46-C95CA45E9D17}
    "c:\Documents and Settings\test user\Application Data\Upheub\aribu.exe"
  • HKCU\Software\Microsoft\Wazi
    Ucudatxy
    ]□□`□□□□□□□□□□□`□□□q□□□□@□□□□□`□□`□□@:□□□□□□□□6□□n□□□□□□□0□□□□□□□□@l□□□□□□□pE□□□□p□□`v□□^□□□□`□□□J□□□□□□□0□□□□□□□□□□□□□□0□□P□□P□□P>□□□□P□□ !□□f□□□□□A□@□□@□□□x□□X□p□□ □□□{□P□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    b8 a5 ae 25 21 e6 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\upheub\aribu.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://indochinatraveller.com/var/cfg.bin
  • http://networksecurityx.hopto.org/
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • indochinatraveller.com
  • networksecurityx.hopto.org
  • www.google.bg
  • www.google.com

Example 2

File Information

Size
441K
SHA-1
9e55d20bce444b1a8e8494e564cc7ea785088287
MD5
5c0b07c6521926e65c6b94e110c90e07
CRC-32
92be1147
File type
Windows executable
First seen
2013-11-20

download Try Sophos products for free
Download now