SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Zbot.FME
Zbot.FM is a Trojan horse that attempts to steal confidential banking information from the compromised computer. It may also download configuration files and updates from the Internet. It is spread mainly through drive-by downloads and phishing schemes. Zbot is also called as Zeus.

File Related Changes
It drops the following file(s) on the system:
  • "C:\WINDOWS\system32\drivers\1212a.sys"
  • "C:\Documents and Settings\Admin\Local Settings\Temp\VBWF3D.bat"

Process Related Changes
It creates the following mutex(es):
  • {1F6BADA5-4AF0-BA6D-9A67-B06D8416937F}"
  • MPSWABOlkStoreNotifyMutex"
  • {1F6BADA5-4AF0-BA6D-D267-B06DCC16937F}"
  • {1F6BADA5-4AF0-BA6D-A660-B06DB811937F}"
  • {E58D6685-81D0-408B-AFDE-CE27B1AFED35}"
  • {1F6BADA5-4AF0-BA6D-CE60-B06DD011937F}"
  • MPSWabDataAccessMutex"
  • {8FB585AF-62FA-2AB3-AFDE-CE27B1AFED35}"
  • {1F6BADA5-4AF0-BA6D-6266-B06D7C17937F}"
  • {1F6BADA5-4AF0-BA6D-3666-B06D2817937F}"
  • {1F6BADA5-4AF0-BA6D-A664-B06DB815937F}"
  • {8359529D-B5C8-265F-AFDE-CE27B1AFED35}"
  • {1F6BADA5-4AF0-BA6D-1660-B06D0811937F}"
  • {70EC73C7-9492-D5EA-AFDE-CE27B1AFED35}"
  • {1F6BADA5-4AF0-BA6D-AA64-B06DB415937F}"
  • {1F6BADA5-4AF0-BA6D-D263-B06DCC12937F}"
  • {1F6BADA5-4AF0-BA6D-8661-B06D9810937F}"
  • {1F6BADA5-4AF0-BA6D-0261-B06D1C10937F}"
  • {1F6BADA5-4AF0-BA6D-2E67-B06D3016937F}"
  • {1F6BADA5-4AF0-BA6D-C661-B06DD810937F}"
  • {1F6BADA5-4AF0-BA6D-1A63-B06D0412937F}"
  • {1F6BADA5-4AF0-BA6D-1262-B06D0C13937F}"
  • {1F6BADA5-4AF0-BA6D-AE66-B06DB017937F}"
  • {1F6BADA5-4AF0-BA6D-5663-B06D4812937F}"
  • {EE5333BD-D4E8-4B55-AFDE-CE27B1AFED35}"
  • {555F64AE-83FB-F059-AFDE-CE27B1AFED35}"
  • {1F6BADA5-4AF0-BA6D-8E60-B06D9011937F}"
  • {1F6BADA5-4AF0-BA6D-0661-B06D1810937F}"
  • {1F6BADA5-4AF0-BA6D-1E65-B06D0014937F}"
  • MSIdent Logon"
  • {CFF5568C-B1D9-6AF3-AFDE-CE27B1AFED35}"
  • SHIMLIB_LOG_MUTEX"
  • {EE5333BC-D4E9-4B55-AFDE-CE27B1AFED35}"
  • {1F6BADA5-4AF0-BA6D-6665-B06D7814937F}"
  • {8FB585A8-62FD-2AB3-AFDE-CE27B1AFED35}"

It creates the following process(es):
  • C:\WINDOWS\Temp\76fe3432c75ee724a8f20ea97696bd17.exe [ \c:\windows\temp\76fe3432c75ee724a8f20ea97696bd17.exe ]
  • C:\WINDOWS\system32\cmd.exe
  • C:\Documents and Settings\Admin\Local Settings\Temp\Oczu\ajobo.exe

It injects malicious code into the following process(es):
  • "C:\Documents and Settings\Admin\Local Settings\Temp\Oczu\ajobo.exe"
  • "C:\WINDOWS\system32\ctfmon.exe"
  • "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
  • "C:\WINDOWS\system32\rundll32.exe"
  • "C:\WINDOWS\explorer.exe"

      Registry Related Changes
      It makes the following registry modifications to ensure infection after system reboot:
      • HKLM\system\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\disablenotifications =


      Relevant Information


      © SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0