Troj/ZBot-GOD

Category: Viruses and Spyware Protection available since:16 Oct 2013 01:58:48 (GMT)
Type: Trojan Last Updated:06 Jul 2016 21:12:50 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/ZBot-GOD include:

Example 1

File Information

Size
488K
SHA-1
00049ef3dd887f1ed36a7beae3dac64594e04f37
MD5
2a7265b5f767a1a858a4fc7fbf152e97
CRC-32
ee38bd88
File type
Windows executable
First seen
2013-10-15

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Vyek\abug.zol
    Size
    3.8K
    SHA-1
    0b33de7573ec85a2bf0b0a211772d8762ae5139e
    MD5
    309c3bcc9a19125f13e989a3bc4988ef
    CRC-32
    0673fdc2
    File type
    Unspecified binary - probably data
    First seen
    2015-04-12
  • c:\Documents and Settings\test user\Application Data\Vyek\abug.tmp
    Size
    1.2K
    SHA-1
    c9be05bdc350fedc009ffc7f90f50a419ec949b2
    MD5
    15844e775fc805c08335387ff7e39940
    CRC-32
    0ad9a36f
    File type
    Unspecified binary - probably data
    First seen
    2015-04-12
  • c:\Documents and Settings\test user\Application Data\Favewi\onxy.exe
    Size
    488K
    SHA-1
    9e99ca3600fa5a147c9359fb680ddeb9e4c5dc72
    MD5
    357e64010335f4dc8201c8e51cb85c62
    CRC-32
    ddd2f138
    File type
    Windows executable
    First seen
    2015-04-12
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Uvzogi
    Ybtiec
    □/□□□□□f□□5□Po□□□□□W□□□□□/□□□□□f□□5□Po□□□□□W□□□□□/□□□□□f□□5□Po□□□□□W□□□□□□□□M□□□□□□□□□□□E□□□□□□□□/□□□□□f□□5□Po□□□□□W□□□□□/□□□□□f□□5□Po□□□□□W□□□□□/□□□□□f□□5□Po□□□□□W□□□□□{□`□□p-□□□□□P□ □□□□□□^□□/□□□□□f□□5□Po□□□□□W□□□□□/□□□□□f□□5□Po□□□□□W□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Ogvyemew
    "c:\Documents and Settings\test user\Application Data\Favewi\onxy.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    f8 ae 20 4a e8 74 d0 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
Processes Created
  • c:\Documents and Settings\test user\application data\favewi\onxy.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • dino.zhga.biz

Example 2

File Information

File type
Windows executable

download Try Sophos products for free
Download now