ThreatExpert Report: Mal/Zbot-FG

Submission Summary:

Submission details:

Submission received: 6 September 2012, 04:21:42
Processing time: 7 min 52 sec
Submitted sample:

File MD5: 0x5D78AE955382F2291EF5DECDEFC305EF
File SHA-1: 0x00719C65114C6E48BD8DE4722B9453C1DFB6D44E
Filesize: 183,672 bytes
Alias: Mal/Zbot-FG [Sophos]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\abcd.bat	75 bytes	MD5: 0x0849CFE65B98BA5FCD9A9EC61A671D09 SHA-1: 0x9D0CCB383C32B1BC07FD9064B9324A18E1276902	(not available)
2	[file and pathname of the sample #1]	183,672 bytes	MD5: 0x5D78AE955382F2291EF5DECDEFC305EF SHA-1: 0x00719C65114C6E48BD8DE4722B9453C1DFB6D44E	Mal/Zbot-FG [Sophos]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	57,344 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR]

HWID = 7B 41 34 43 36 41 45 45 39 2D 45 31 44 42 2D 34 32 32 41 2D 42 44 33 41 2D 36 43 43 42 36 31 38 38 35 37 30 45 7D

Other details

The following Host Names were requested from a host database:

108.178.59.26
209.59.223.7
remy-bijouterie.be
www.billmann.talktalk.net
wibawo.de

The following HTTP URLs were started reading:

http://remy-bijouterie.be/7Y5eYFR.exe
http://www.billmann.talktalk.net/8FAk.exe
http://wibawo.de/M16an5.exe

Downloaded File Summary:

Download details:

Download retrieved: 6 September 2012 04:29:35
Processing time: 7 min 46 sec
Downloaded sample:

File MD5: 0x57E0DA5B1FBC4C920F92F934F5065022
File SHA-1: 0xD2D818C470A3E237D35568BD91BF166E64659656
Filesize: 367,992 bytes
Alias: Mal/Zbot-FG [Sophos]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Vuim\otfy.exe	367,992 bytes	MD5: 0x8AC80E7E0FFD6C3A3B2739CD16F0783B SHA-1: 0x704A60430465733EE3AC116ECABB95283D60EC5A	Mal/Zbot-FG [Sophos]
2	%AppData%\alfu.yfe	1,322 bytes	MD5: 0xBEE522C39A96CCC2E9BED13887F0425E SHA-1: 0x6C3DDED1D5FF34F408D14794D6DDB974C194DCC4	(not available)
3	%Temp%\tmpfa13d4b6.bat	168 bytes	MD5: 0x83C65814BB96BD894C17AA5CCCA2C1FB SHA-1: 0xF51C4B092281DE951EACFF521B9387EDBABC5F46	(not available)
4	[file and pathname of the sample #1]	367,992 bytes	MD5: 0x57E0DA5B1FBC4C920F92F934F5065022 SHA-1: 0xD2D818C470A3E237D35568BD91BF166E64659656	Mal/Zbot-FG [Sophos]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directory was created:

%AppData%\Vuim

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	229,376 bytes
otfy.exe	%AppData%\Vuim\otfy.exe	229,376 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
cmd.exe	%System%\cmd.exe	278,528 bytes

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Ylbe

The newly created Registry Values are:

[HKEY_CURRENT_USER\Identities]

Identity Login = 0x00098053

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy]

CleanCookies = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

{3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = ""%AppData%\Vuim\otfy.exe""

so that otfy.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Ylbe]

19ij1885 = "yNSRnrbHH/2ZKA=="
156240jf = "6tT0ng=="
2ffd7da7 = 24 EB F4 9E CA EE 6C FD AF 28 EA 24

The following Registry Values were modified:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

1406 =
1609 =

Other details

To mark the presence in the system, the following Mutex object was created:

Local\{FA4803F7-084F-6AC9-A6BA-A75086AF8442}

The following Host Name was requested from a host database:

192.5.5.241

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.