× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 67e537afbd21945e256280adf632aa9bee5ab926b082c9858be86692a115b8ba
File name: a.exe
Detection ratio: 39 / 46
Analysis date: 2013-04-23 11:54:28 UTC ( 12 months ago )
Antivirus Result Update
AVG PSW.Generic10.BVWO 20130423
Agnitum TrojanSpy.Zbot!IOIt6TUvWGw 20130423
AhnLab-V3 Win-Trojan/Zbot.291840.B 20130422
AntiVir TR/Beebone.2914587 20130423
Avast Win32:Dropper-gen [Drp] 20130423
BitDefender Gen:Variant.Zusy.36225 20130423
ByteHero Virus.Win32.Heur.p 20130418
CAT-QuickHeal Trojan.Zbot 20130423
Commtouch W32/VBcrypt.AP.gen!Eldorado 20130423
Comodo TrojWare.Win32.Zbot.A 20130423
DrWeb Trojan.PWS.Panda.3035 20130423
ESET-NOD32 Win32/Spy.Zbot.AAO 20130423
Emsisoft Trojan-Spy.Win32.Zbot (A) 20130423
F-Prot W32/VBcrypt.AP.gen!Eldorado 20130423
F-Secure Gen:Variant.Zusy.36225 20130423
Fortinet W32/Zbot.AAO!tr 20130423
GData Gen:Variant.Zusy.36225 20130423
Ikarus Trojan-PWS.Win32.Zbot 20130423
K7AntiVirus Riskware 20130422
K7GW Riskware 20130422
Kaspersky Trojan-Spy.Win32.Zbot.jcqn 20130423
Kingsoft Win32.Troj.Zbot.jc.(kcloud) 20130422
Malwarebytes Trojan.Agent.SZ 20130423
McAfee PWS-Zbot.gen.oj 20130423
McAfee-GW-Edition PWS-Zbot.gen.oj 20130423
MicroWorld-eScan Gen:Variant.Zusy.36225 20130423
Microsoft PWS:Win32/Zbot 20130423
NANO-Antivirus Trojan.Win32.Zbot.biajlq 20130423
Norman VBInject.IFY 20130423
PCTools Trojan.Zbot 20130423
Panda Generic Malware 20130423
SUPERAntiSpyware Trojan.Agent/Gen-Dropper 20130423
Sophos Troj/Zbot-DYC 20130423
Symantec Trojan.Zbot 20130423
TrendMicro TSPY_ZBOT.DTS 20130423
TrendMicro-HouseCall TSPY_ZBOT.DTS 20130423
VBA32 TrojanSpy.Zbot 20130422
VIPRE Trojan.Win32.Generic.pak!cobra 20130423
nProtect Trojan-Spy/W32.ZBot.291840.AA 20130423
Antiy-AVL 20130423
ClamAV 20130423
Jiangmin 20130423
TheHacker 20130422
TotalDefense 20130423
ViRobot 20130423
eSafe 20130423
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
Can anyone test

Publisher you have a pm
Product Unread 0
Original name a.exe
Internal name a
File version 1.01.0443
Comments I m in computer class now
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-02-13 16:22:29
Entry Point 0x000012F8
Number of sections 3
PE sections
PE imports
_adj_fdiv_m32
__vbaChkstk
__vbaCyI2
_CIcos
EVENT_SINK_QueryInterface
__vbaI4Cy
_adj_fdivr_m64
__vbaErase
_adj_fprem
__vbaAryMove
_adj_fpatan
EVENT_SINK_AddRef
__vbaRefVarAry
Ord(629)
__vbaVarVargNofree
_adj_fdiv_m32i
__vbaStrCopy
__vbaExceptHandler
__vbaSetSystemError
__vbaFreeVarList
DllFunctionCall
__vbaFPException
__vbaStrVarMove
__vbaStrToUnicode
_adj_fdivr_m16i
__vbaUbound
EVENT_SINK_Release
_adj_fdiv_r
Ord(100)
_CItan
__vbaFreeVar
__vbaI2Str
__vbaObjSetAddref
__vbaFixstrConstruct
__vbaAryConstruct2
__vbaInStr
_adj_fdiv_m64
__vbaFreeObj
_CIsin
_CIsqrt
__vbaHresultCheckObj
_CIlog
_allmul
__vbaAryLock
__vbaLsetFixstr
Ord(713)
_adj_fptan
__vbaVarDup
__vbaAryUnlock
__vbaVar2Vec
_CIatan
__vbaNew2
__vbaVarCat
_adj_fdivr_m32i
__vbaAryDestruct
_CIexp
__vbaStrMove
__vbaStrToAnsi
_adj_fprem1
_adj_fdivr_m32
__vbaStrCat
__vbaFreeStrList
Ord(598)
__vbaFreeStr
_adj_fdiv_m16i
Number of PE resources by type
RT_ICON 4
JK 1
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 7
CHINESE TRADITIONAL 1
ExifTool file metadata
UninitializedDataSize
0

Comments
I m in computer class now

InitializedDataSize
262144

ImageVersion
1.1

ProductName
Unread 0

FileVersionNumber
1.1.0.443

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

LinkerVersion
6.0

OriginalFilename
a.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1.01.0443

TimeStamp
2013:02:13 16:22:29+00:00

FileType
Win32 EXE

PEType
PE32

InternalName
a

FileAccessDate
2013:04:23 12:54:21+01:00

ProductVersion
1.01.0443

SubsystemVersion
4.0

OSVersion
4.0

FileCreateDate
2013:04:23 12:54:21+01:00

FileOS
Win32

LegalCopyright
Can anyone test

MachineType
Intel 386 or later, and compatibles

CompanyName
you have a pm

CodeSize
28672

FileSubtype
0

ProductVersionNumber
1.1.0.443

EntryPoint
0x12f8

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 f66358bf351e6038b9a75b2f0f01860d
SHA1 a6f07f47addff4167ad66f79888261a9b21e5150
SHA256 67e537afbd21945e256280adf632aa9bee5ab926b082c9858be86692a115b8ba
ssdeep
6144:eLyjZTQtGx14Tl/+omoYox53/Hn8BDxkqw:Vp2TlGJoBxNvnj

File size 285.0 KB ( 291840 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (88.6%)
Win32 Executable (generic) (7.0%)
Generic Win/DOS Executable (2.1%)
DOS Executable Generic (2.1%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe

VirusTotal metadata
First submission 2013-02-18 14:31:13 UTC ( 1 year, 2 months ago )
Last submission 2013-03-11 21:13:09 UTC ( 1 year, 1 month ago )
File names a
virus.scr
test.scr
f66358bf351e6038b9a75b2f0f01860d
bomba_atomica_sinistra.exe
file-5163040_
a.exe
pdf_delta_ticket.scr
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Created processes
Code injections in the following processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications