Zbot.ES_4 is a Trojan horse that attempts to steal confidential banking information from the compromised computer. It may also download configuration files and updates from the Internet. It is spread mainly through drive-by downloads and phishing schemes. Zbot is also called as Zeus.
File Related Changes
It drops the following file(s) on the system:
- "c:\Users\Admin\AppData\Local\Temp\hhgnrddkjee.exe"
- "c:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
- "c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EQUQ9Q00\dtn21[1].exe"
- "c:\Users\Admin\AppData\Roaming\Onina\aholo.exe"
- "c:\Users\Admin\AppData\Local\Temp\HLW9DB5.bat"
Process Related Changes
It creates the following mutex(es):
- "Global\{478CE5E7-1D74-1186-F63A-B06EDE0F9373}"
- "IESQMMUTEX_0_208"
It creates the following process(es): - C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
- C:\windows\temp\voice_message_10212013.exe.bin.exe
- C:\Users\Admin\AppData\Local\Temp\hhgnrddkjee.exe
- C:\Windows\system32\cmd.exe
- C:\Users\Admin\AppData\Roaming\Onina\aholo.exe
It injects malicious code into the following process(es): - "C:\Windows\system32\taskhost.exe"
- "C:\Windows\system32\Dwm.exe"
- "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
Network Activity
It attempts to connect to the following remote servers: - ocsp.verisign.net:80 (199.7.xxxxxx)
- osw3.com:443 (68.233.xxxxxx)
We observed the following DNS query/queries: - rapidssl-crl.geotrust.com
- ocsp.geotrust.com
- rapidssl-ocsp.geotrust.com
- crl.microsoft.com
- osw3.com
- crl.geotrust.com
Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot: - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\aholo = C:\Users\Admin\AppData\Roaming\Onina\aholo.exe
|
