Troj/Zbot-EUR

Category: Viruses and SpywareProtection available since:27 Apr 2013 21:07:08 (GMT)
Type: TrojanLast Updated:28 Apr 2013 02:15:25 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-EUR include:

Example 1

File Information

Size
271K
SHA-1
78c37037237bd0eb0482e0e13ccfdfc933c51101
MD5
d06e2447ee930403284dc8f3dce4dc31
CRC-32
9cf8f39a
File type
Windows executable
First seen
2013-04-27

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Byxax\itukk.tmp
    Size
    563
    SHA-1
    2884c713150b0a081e372bc8d67a108c73a8f1a5
    MD5
    0ad96b77b28f209b1d0d5ea2e0324c32
    CRC-32
    55eabdb0
    File type
    Unspecified binary - probably data
    First seen
    2013-04-27
  • c:\Documents and Settings\test user\Application Data\Ycosim\anudc.exe
    Size
    271K
    SHA-1
    f84332337b6a6748d662c1f6f027b3446c4accb1
    MD5
    31e6bb916e370ce03ea3bd3ce7fe897a
    CRC-32
    9fa07538
    File type
    Windows executable
    First seen
    2013-04-27
  • c:\Documents and Settings\test user\Application Data\Byxax\itukk.fau
    Size
    477
    SHA-1
    a23eb11ddb1adf8fc8c87fc9395637c13a4b5568
    MD5
    4e697f26d0203a6070a831256b6a814c
    CRC-32
    ba7ff921
    File type
    Unspecified binary - probably data
    First seen
    2013-04-27
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Nuoxre
    Myemubpi
    ?2□0□□□q□□□□□q□□□□P□□□□□@□□ □□0□□□o□□□□□'□□□□0A□□□□0□□□'□`*□□7□□}□`□□`□□P□□□s□PF□□□□□□□□□□□□□□&□@~□P□□@□□P□□`□□□□□□q□□□□p*□p□□P□□p□□□□□PH□□k□□z□□□□@□□□'□pE□□□□□□□□□□□□□□e□P□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {9225C098-75C7-6D95-ED84-343899145B9F}
    "c:\Documents and Settings\test user\Application Data\Ycosim\anudc.exe"
Registry Keys Modified
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    1e 1a 5c a4 6d 43 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\ycosim\anudc.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://iliadis.gr/tv/config.bin
DNS Requests
  • iliadis.gr

Example 2

File Information

Size
1.2M
SHA-1
b71b96f5fccf2a4892cbe58f865eeab8283333d8
MD5
f7fdb74e2a8ffe39491b679bbe2910d2
CRC-32
2226dc6d
File type
Windows executable
First seen
2013-04-26

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\Ad0be\Ad0be.exe
Registry Keys Created
  • HKCU\Software\Adobe Reader Speed Launcher
    ID
    YRVrgXYpfEgNVgahPFSoPt9t45gpy21
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Adobe Reader Speed Launcher
    c:\Documents and Settings\test user\Application Data\Ad0be\Ad0be.exe
Processes Created
  • c:\windows\system32\notepad.exe
DNS Requests
  • omcxasm.myftp.org

Example 3

File Information

Size
132K
SHA-1
fb31db8e4be58a3fdf8bbaf5196e0d3a767045d0
MD5
4f9d1f1795d3ecc9527c56a161643149
CRC-32
650ca9d2
File type
Windows executable
First seen
2013-04-26