Troj/ZbotMem-B

Category: Viruses and Spyware Protection available since:02 Mar 2011 15:46:43 (GMT)
Type: Trojan Last Updated:04 Jul 2012 15:38:30 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/ZbotMem-B is in-memory detection for Zbot.

 

Zbot is an information stealing Trojan that primarily targets online banking websites.

 

Zbot has the capability to steal a large array of different types of information including login credentials entered into web forms and FTP program passwords.

 

Zbot is able to inject extra code into webpages as they are browsed which can prompt the user to enter extra information useful to the attacker.

 

For further information on Zbot please see: What Is Zeus?

Examples of Troj/ZbotMem-B include:

Example 1

File Information

File type
Windows executable

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Exteoz\hedia.exe
    Size
    145K
    SHA-1
    898e4088d7804e2a04492a14fa4ccdbc538bd5fd
    MD5
    3ad11e9a47ea0d3ea375390b2e4f48cc
    CRC-32
    1dacc13f
    File type
    application/x-ms-dos-executable
    First seen
    2012-05-03
Processes Created
  • c:\windows\system32\cmd.exe

Example 2

File Information

Size
169K
SHA-1
0faa779a2799b2a0821ae0f77b355b700d809a2e
MD5
d5cab01ed1681efe1edb55b990cc63c6
CRC-32
ba19742d
File type
Windows executable
First seen
2010-10-05

Other vendor detection

Kaspersky
Trojan-Spy.Win32.Zbot.aqnc
Trend
TSPY_ZBOT.SMMA

Example 3

File Information

Size
114K
SHA-1
45f29fc210ad146d4a21ad00160827faa7318938
MD5
6e55898aae6ac1a9fb23c1d8046d77d1
CRC-32
48256f66
File type
Windows executable
First seen
2010-09-09

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Fada\katuo.exe
    Size
    114K
    SHA-1
    7601d36e62825c9d6ee76f5de0cb952d1e923734
    MD5
    2543b99e2d4326824f63af96ddacfb6d
    CRC-32
    089d5c50
    File type
    Windows executable
    First seen
    2012-05-03
Processes Created
  • c:\windows\system32\cmd.exe

download Try Sophos products for free
Download now