Win32/Zeus (alias Zbot)

Forum for analysis and discussion about malware.
PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: searchin new zbot variannt

Post by PX5 » Thu Sep 30, 2010 7:30 am

Should be the Zeus2 your looking for.
You do not have the required permissions to view the files attached to this post.
Arrogance led me to my Ignorance

nullptr
Posts: 209
Joined: Sun Mar 14, 2010 6:35 am

Trojan Zeus (alias ZBot)

Post by nullptr » Thu Nov 18, 2010 5:02 am

Playing with this sample with OllyDbg in Virtual PC XP Mode on Win7 x64 and received notification from the host machine:
C:\Applications\DebugView\Dbgview.exe
Win32/TrojanDownloader.Small.PAC trojan cleaned - quarantined
Event occurred on a file modified by the application: C:\Windows\winsxs\amd64_microsoft-windows-virtualpc ui-vmwindow_31bf3856ad364e35_7.1.7600.16393_none_c661bbf36eaa14f2\VMWindow.exe
File was definitely infected.
A nice escape :)

edit: Actually the alert came when I ran the sample outside the debugger. ie infected the VM.
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Wed Nov 02, 2011 4:50 am, edited 2 times in total.
Reason: title edited

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: W32/Zbot

Post by EP_X0FF » Thu Nov 18, 2010 8:09 am

What is that? :)
0xBF28CD64
Ring0 - the source of inspiration

nullptr
Posts: 209
Joined: Sun Mar 14, 2010 6:35 am

Re: W32/Zbot

Post by nullptr » Thu Nov 18, 2010 12:16 pm

;) unpacked with special guest # BOT NOT CRYPTED :lol:
You do not have the required permissions to view the files attached to this post.

User avatar
GamingMasteR
Global Moderator
Posts: 228
Joined: Sun Mar 07, 2010 10:52 am

Re: W32/Zbot

Post by GamingMasteR » Fri Nov 19, 2010 7:10 pm

You are enabling shared folder ?

nullptr
Posts: 209
Joined: Sun Mar 14, 2010 6:35 am

Re: W32/Zbot

Post by nullptr » Fri Nov 19, 2010 10:13 pm

I was, but not anymore when playing with malware lol

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

PWS:Win32/Zbot

Post by markusg » Mon Dec 27, 2010 8:30 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: backdoor

Post by EP_X0FF » Tue Dec 28, 2010 3:37 am

Typical ZBot.

Unpacked sample results

http://www.virustotal.com/file-scan/rep ... 1293507474
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: W32/Zbot

Post by markusg » Tue Jan 25, 2011 7:44 pm

You do not have the required permissions to view the files attached to this post.

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: W32/Zbot

Post by PX5 » Wed Jan 26, 2011 7:53 pm

Lmfao!....nullptr, some lessons are best learned in a fashion not easily forgettable, for sure, dont feel like the lone ranger!

Ive found when using certain types of wireless via host and vm, this can also be a bad thing. :lol:
Arrogance led me to my Ignorance

Post Reply