Suspicious#zbot_4 is a Trojan horse that attempts to steal confidential banking information from the compromised computer. It may also download configuration files and updates from the Internet. It is spread mainly through drive-by downloads and phishing schemes. Zbot is also called as Zeus.
File Related Changes
It drops the following file(s) on the system:
- "c:\Program Files\yvgteycq\hyxgoclh.exe"
- "c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyxgoclh.exe"
Process Related Changes
It creates the following mutex(es):
- "{54520D92-89E7-D5D6-94CC-53CFCEA1470A}"
It creates the following process(es): - c:\Program Files\Internet Explorer\iexplore.exe [ \c:\Program Files\Internet Explorer\iexplore.exe ]
Network Activity
It attempts to connect to the following remote servers: - google.com:80 (74.125.xxxxxx)
- promoliks.com:443 (66.228.xxxxxx)
- stromoliks.com:443 (66.228.xxxxxx)
We observed the following DNS query/queries: - promoliks.com
- stromoliks.com
|
