Sus/Dbot-A

Category: Suspicious Behavior and Files Protection available since:20 Aug 2008 17:16:52 (GMT)
Type: Suspicious file Last Updated:08 Jul 2011 17:49:42 (GMT)

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Sus/Dbot-A is a file with behavioral characteristics typical of backdoor Trojans.

Typical functionality includes:

Installation of itself in a system folder and setting of a runkey;
Accessing the internet to communicate with a remote server via HTTP;
Possibly scanning for, and attempting to terminate, security related processes.

Members of Sus/Dbot-A may also include spreading functionality.

Examples of Sus/Dbot-A include:

Example 1

File Information

Size
297K
SHA-1
1d7832b3417a478632fd44fd114860c0297d6de1
MD5
21e2536bf76c165381c6191c4f45e4c2
CRC-32
3511e23c
File type
application/x-ms-dos-executable
First seen
2010-06-25

Other vendor detection

Avira
TR/Dldr.Agen.304128
Kaspersky
Trojan-Downloader.Win32.Delf.aclw

Runtime Analysis

DNS Requests
  • va.adsbj.cn

Example 2

File Information

Size
1017K
SHA-1
5b6c908ed36e2670a0b1bd38d746da6720ffebb5
MD5
4496c9ebf313d23b8829b967a1afb909
CRC-32
06043b48
File type
application/x-ms-dos-executable
First seen
2010-07-01

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Favorites\????????????????????????????.url
    Size
    100
    SHA-1
    d5c2839315a3a6cd3918762f96fddeb32894c8aa
    MD5
    02f97f3b6e1a3a3dae5c77cd1a3b4783
    CRC-32
    93d158c7
    File type
    application/octet-stream
    First seen
    2010-07-25
  • c:\Documents and Settings\test user\Desktop\Internet Explorer.url
  • c:\Documents and Settings\test user\Application Data\Microsoft\Internet Explorer\Quick Launch\?????? Internet Explorer ???????????????.url
  • c:\Documents and Settings\test user\Start Menu\?????? Internet Explorer ???????????????.url
  • C:\WINDOWS\ime\SPTIPIMERS.ini
    Size
    10
    SHA-1
    2842ff5b939d1e52984c70a9bc73f9ee46d07260
    MD5
    422887f4f4aab2b353a1b0f00ccd5239
    CRC-32
    59089f62
    File type
    application/octet-stream
    First seen
    2010-10-02
  • C:\Program Files\QVOD5\QvodEx.dll
Modified Files
  • %PROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    • Changed the file contents
Registry Keys Modified
  • HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
    (Default)
    "C:\Program Files\Internet Explorer\iexplore.exe" www.133.net
  • HKCU\Software\Microsoft\Internet Explorer\Main
    Start Page
    http://www.133.net
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\regsvr32.exe

Example 3

File Information

Size
271K
SHA-1
b0483e7cf9e3b7abf239414c1757ddad0efa1e59
MD5
2aec0e1226d757d75792a97743b79c0c
CRC-32
7e77c03c
File type
application/x-ms-dos-executable
First seen
2010-06-28

Runtime Analysis

Processes Created
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://dev.gasuo.net/chk/vjtmp.txt
DNS Requests
  • dev.gasuo.net

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information