Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Virus:TR/Spy.ZBot.alj
Date discovered:28/08/2009
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:114688 Bytes
MD5 checksum:237f86451bbfb4341d130a5de71ca9e3
VDF version:7.01.05.178
IVDF version:7.01.05.179 - Friday, August 28, 2009

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %temp%\%10 digit random character string% .pre



It deletes the initially executed copy of itself.



The following file is created:

– %temp%\%random character string%\random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\%random character string%\%random character string%.exe"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre"

– [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • zeo**********-gt.com
   • fen**********.com

Descrizione inserita da Wensin Lee su mercoledì 13 marzo 2013
Descrizione aggiornata da Wensin Lee su mercoledì 13 marzo 2013

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.