SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  ZBot.DX
ZBot.DX is a Trojan horse that attempts to steal confidential banking information from the compromised computer. It may also download configuration files and updates from the Internet. It is spread mainly through drive-by downloads and phishing schemes. Zbot is also called as Zeus.

File Related Changes
It drops the following file(s) on the system:
  • "c:\Users\Admin\AppData\Local\Temp\tmpe6a26898.bat"
  • "c:\Users\Admin\AppData\Roaming\Duaxr\ibew.exe"

Process Related Changes
It creates the following mutex(es):
  • "IESQMMUTEX_0_208"
  • "DBWinMutex"

It creates the following process(es):
  • C:\Users\Admin\AppData\Roaming\Duaxr\ibew.exe
  • C:\Windows\system32\cmd.exe

It injects malicious code into the following process(es):
  • "C:\Windows\System32\mobsync.exe"
  • "C:\Windows\system32\taskhost.exe"
  • "C:\Windows\system32\Dwm.exe"
  • "C:\Windows\system32\SearchProtocolHost.exe"
  • "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"

    Network Activity
    We observed the following DNS query/queries:
    • microsoft-update.name

    Registry Related Changes
    It makes the following registry modifications to ensure infection after system reboot:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{c657689c-3cf5-82c9-5b97-8c459ae9fd09} = C:\Users\Admin\AppData\Roaming\Duaxr\ibew.exe


    Relevant Information