Troj/Zbot-IAM

Category: Viruses and Spyware Protection available since:07 Apr 2014 09:44:01 (GMT)
Type: Trojan Last Updated:07 Apr 2014 09:44:01 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-IAM include:

Example 1

File Information

Size
407K
SHA-1
be21d981d353befbdba53b9b9550033ca9dde450
MD5
262f38c63f3b3e43a5b4403b814d07a9
CRC-32
ba851aad
File type
application/x-ms-dos-executable
First seen
2014-04-07

Example 2

File Information

Size
499K
SHA-1
2538e19ec5189787c4a3070d4fa8ed977b12bdf6
MD5
66719b4b91eca7b00928ca301f9ca330
CRC-32
42c4a235
File type
Windows executable
First seen
2014-04-07

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Ogxi\pyob.exe
    Size
    499K
    SHA-1
    400f275bfb5bcf5941657da60822755ab6d59f55
    MD5
    8366c2fc2bbdb7f3f832b8ef6e95a133
    CRC-32
    3182b38d
    File type
    Windows executable
    First seen
    2014-04-07
  • c:\Documents and Settings\test user\Application Data\Cocu\ilqyp.suv
    Size
    8.2K
    SHA-1
    73af0cd2aa46e2c42eb884ac16da6a7c0a6aca51
    MD5
    655a9adb3832f4acc7f7f883468854c8
    CRC-32
    08b1f433
    File type
    Unspecified binary - probably data
    First seen
    2014-04-07
  • c:\Documents and Settings\test user\Local Settings\Temp\tmp05df36c8.bat
    Size
    129
    SHA-1
    f8f43c93930f47c125d1b7546b3e6165c79f8b68
    MD5
    47abfe942525a1b0d7a8d912e69ffeee
    CRC-32
    5ec14ab3
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2014-04-07
  • c:\Documents and Settings\test user\Application Data\Avbyox\noobm.ame
    Size
    390K
    SHA-1
    71723500fdc8c27fa880620829245a5fd3ee5228
    MD5
    7edf4b7db35ba5aaf9be8110932116be
    CRC-32
    4bafb0c5
    File type
    Unspecified binary - probably data
    First seen
    2014-04-07
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Adat
    Gide
    ~□□□□□□□□□□□P#□□□□p□□`□□□□□□□□□□□□□□P#□□□□p□□`□□□□□□□□□□□□□□P#□□□□p□□`□□□□□□□□ i□`8□□□□□n□p□□`_□□□□□□□□□□□□□P#□□□□p□□`□□□□□□□□□□□□□□P#□□□□p□□`□□□□□□□□□□□□□□P#□□□□p□□`□□0V□ □□@;□□□□□□□□□□p□□p□□□□□□□□□□□□□□P#□□□□p□□`□□□□□□□□□□□□□□P#□□□□p□□`□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Xyixu
    "c:\Documents and Settings\test user\Application Data\Ogxi\pyob.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    a8 38 ac 07 2a 52 cf 01
Processes Created
  • c:\Documents and Settings\test user\application data\ogxi\pyob.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\hostname.exe
  • c:\windows\system32\ipconfig.exe
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
  • c:\windows\system32\netsh.exe
  • c:\windows\system32\tasklist.exe
HTTP Requests
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • www.google.bg
  • www.google.com
  • www.r-sbonline.org

Example 3

File Information

Size
499K
SHA-1
f18fa848f0e630d35d0b4c833a7126398347ed12
MD5
c8336e69c40c85c69cb684ced2ea12b7
CRC-32
25cedde2
File type
Windows executable
First seen
2014-04-07

download Try Sophos products for free
Download now