Troj/Zbot-HEA

Category: Viruses and Spyware Protection available since:11 Dec 2013 22:46:32 (GMT)
Type: Trojan Last Updated:11 Dec 2013 22:46:32 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-HEA include:

Example 1

File Information

Size
223K
SHA-1
bfa9e67c6432df55a06b6cd79a3cf6b32a9335bd
MD5
6b9d3092e03ae6ad761e77baccda150e
CRC-32
27831b7a
File type
Windows executable
First seen
2013-12-11

Example 2

File Information

Size
223K
SHA-1
537627d11b372bab366b59bfea33d6dd5f266728
MD5
9aa16645c8c7659c7cf6d9c1fc0204ef
CRC-32
0552ff42
File type
Windows executable
First seen
2013-12-11

Other vendor detection

Avira
TR/Dropper.Gen

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Riakka\elewuvu.exe
    Size
    223K
    SHA-1
    bfa9e67c6432df55a06b6cd79a3cf6b32a9335bd
    MD5
    6b9d3092e03ae6ad761e77baccda150e
    CRC-32
    27831b7a
    File type
    Windows executable
    First seen
    2013-12-11
  • c:\Documents and Settings\test user\Application Data\Yzgiy\izawnuy.ohg
    Size
    477
    SHA-1
    2231232340e663e7a798131429dfadfd8b4726f1
    MD5
    692d0f4d147225647e514ca1c0dfe521
    CRC-32
    f27178d7
    File type
    Unspecified binary - probably data
    First seen
    2013-12-11
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Gaeqoz
    Ahuso
    □□□□□□□K□`□□□<□@k□□□□□□□□W□pF□p□□□□□□-□□□□`□□□3□□□□□5□@□□□9□□□□□L□□s□□□□□□□□□□ n□□□□□□□□□□□□□@P□0□□p□□□P□`□□□□□p□□□\□□q□`□□□□□□S□□L□□□□@□□□e□0□□□□□□□□□:□□j□ ~□□z□□3□□□□□2□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {548D8DCA-C9B3-093F-2697-A26473E22AFA}
    "c:\Documents and Settings\test user\Application Data\Riakka\elewuvu.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    f2 3c 8c 4e 4d f6 ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\riakka\elewuvu.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
DNS Requests
  • www.makitrain.net

download Try Sophos products for free
Download now