Mal/Dorkbot-K

Category: Viruses and Spyware Protection available since:18 Nov 2012 00:07:07 (GMT)
Type: Malicious behavior Last Updated:18 Nov 2012 00:07:07 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Dorkbot-K include:

Example 1

File Information

Size
351K
SHA-1
06c83f404735f1fa72f167ffa129a7f51b28da55
MD5
4ba0f06da605b01091b2fef75ae1c3ed
CRC-32
3257f7ea
File type
Windows executable
First seen
2012-08-26

Other vendor detection

Kaspersky
Trojan-Spy.Win32.Zbot.bopd

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Native\STUBEXE\@SYSTEM@\cmd.exe
    Size
    17K
    SHA-1
    c303399405795700ed9ab71692fd219872537964
    MD5
    b2337715e2137fcff576a8ae159fdd02
    CRC-32
    70ca1d54
    File type
    Windows executable
    First seen
    2012-09-03
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Virtual\XRegistry.tmp
  • c:\Documents and Settings\test user\Application Data\Xafu\ixiv.tmp
    Size
    315
    SHA-1
    05e6637d36f95187114ed353c3ebc8d24ee52245
    MD5
    ba74b1f2ddbcebc1b1b27be81b4e0ed7
    CRC-32
    f686eb08
    File type
    application/octet-stream
    First seen
    2012-11-17
  • c:\Documents and Settings\test user\Application Data\Xafu\ixiv.xoz
    Size
    477
    SHA-1
    46659bf61b4a965db4f473fe248e0ac7278c6cae
    MD5
    de8e6342b8d30f31d56b96e4c1070c01
    CRC-32
    4655a57d
    File type
    application/octet-stream
    First seen
    2012-11-17
  • c:\Documents and Settings\test user\Application Data\Ucucp\wufy.exe
    Size
    138K
    SHA-1
    5e33231cb86afba0999478b94929b6f2995794eb
    MD5
    cf2f2be06411a3f834a3280e2438ab5b
    CRC-32
    a13f9999
    File type
    application/x-ms-dos-executable
    First seen
    2012-11-17
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Native\STUBEXE\@APPDATA@\Ucucp\wufy.exe
    Size
    17K
    SHA-1
    77752789e17bb163d447fb3c7d7378fb275223b9
    MD5
    88ba4603147112669ac867edc376c115
    CRC-32
    ed1627ec
    File type
    application/x-ms-dos-executable
    First seen
    2012-11-17
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Iqfa
    Ukafc
    □□□□□□□h□□□□□□□@□□□I□p@□□4□P□□□□□@c□□□□□<□@I□□7□Pd□□□□□8□ □□p]□ □□0c□□/□0□□□=□ □□□□□□□□□w□`□□@l□□A□□□□`□□□□□□(□□U□□□□□h□□□□□7□□□□□□□□L□□□□□a□ □□□□□P□□□□□□□□□N□□□□ □□@□□□`□p□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {3181EA68-2764-A33A-EDD4-717780984E1E}
    "c:\Documents and Settings\test user\Application Data\Ucucp\wufy.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000007
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    aa 4b 68 23 1c c5 cd 01
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.08.20t12.19\native\stubexe\@appdata@\ucucp\wufy.exe
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.08.20t12.19\native\stubexe\@system@\cmd.exe
HTTP Requests
  • http://grainmunch.pro/grain/config.bin
DNS Requests
  • grainmunch.pro

Example 2

File Information

Size
351K
SHA-1
0f0b818caa45e75d2a6a1436d34e777aec594346
MD5
9572739d889233db298dd0cd524f8ffd
CRC-32
87691622
File type
Windows executable
First seen
2012-08-05

Other vendor detection

Kaspersky
Trojan-Spy.Win32.Zbot.bopd

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.07.19T06.20\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
  • c:\Documents and Settings\test user\Application Data\Eqzule\haic.gah
    Size
    477
    SHA-1
    173e7be266329ed28f518a9c5a5636ba13ed8f36
    MD5
    dc0f834d818c6d5b23106e18ac92afe0
    CRC-32
    c41c1d62
    File type
    application/octet-stream
    First seen
    2012-11-18
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.07.19T06.20\Native\STUBEXE\@APPDATA@\Qalufu\umfea.exe
    Size
    17K
    SHA-1
    c9cb71db677aba57df1d373ac831e9aa75f0d352
    MD5
    2d7bf9b0f13aa97af95a75e0c4e78e84
    CRC-32
    5b7f70fb
    File type
    application/x-ms-dos-executable
    First seen
    2012-11-18
  • c:\Documents and Settings\test user\Application Data\Eqzule\haic.tmp
    Size
    315
    SHA-1
    a0a434b68ba45a402be6eb9f10a8fc654d5e6f20
    MD5
    c359e8fa56a2280b718deb7adf96de2f
    CRC-32
    5f406b46
    File type
    application/octet-stream
    First seen
    2012-11-18
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.07.19T06.20\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.07.19T06.20\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
  • c:\Documents and Settings\test user\Application Data\Qalufu\umfea.exe
    Size
    138K
    SHA-1
    af30c5ad40fa2ea92ee3c0ab542082c697911aa8
    MD5
    53ffb3c862f02268874a37377a420fe1
    CRC-32
    db2467a0
    File type
    application/x-ms-dos-executable
    First seen
    2012-11-18
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {DEB5F4A1-4BF0-9C17-7B46-C95CA45E9D17}
    "c:\Documents and Settings\test user\Application Data\Qalufu\umfea.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Yfub
    Voem
    D7□□□□□□□@T□@b□□a□□□□□□□p□□□-□□□□0□□□□□P□□0:□□□□□□□ □□P>□`V□P□□0□□P□□□)□□U□□7□□S□□□□□□□p□□□g□P□□P□□□□□p□□□□□□f□□□□Pa□□}□@p□□□□□□□@□□□u□□□□@*□□□□□□□□V□□□□@□□□□□□□□□x□□_□`&□□□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000007
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    c2 3f 5d 97 1f c5 cd 01
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.07.19t06.20\native\stubexe\@appdata@\qalufu\umfea.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://plaingrovesource.net/techo/config.bin
DNS Requests
  • plaingrovesource.net

Example 3

File Information

Size
351K
SHA-1
1c33b468c47aed7c8ab7ac8b064e6cd9246fde43
MD5
aeb41d05275ad4747621a2846576581e
CRC-32
12d807e1
File type
Windows executable
First seen
2012-01-03

Other vendor detection

Kaspersky
Trojan-Spy.Win32.Zbot.bopd

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Orca\akwi.tmp
    Size
    315
    SHA-1
    396085aa8baef947e0b1e3ea3cf067f8e1548f89
    MD5
    9783a1980b1966a442116b551a7999f7
    CRC-32
    ccac0cdf
    File type
    application/octet-stream
    First seen
    2012-11-17
  • c:\Documents and Settings\test user\Application Data\Orca\akwi.aha
    Size
    477
    SHA-1
    557d48877acbc8d430d0b9b9fb25b7cee4f418a4
    MD5
    649bb49b2c16156ab88d8515e8ecb666
    CRC-32
    eb3c656a
    File type
    application/octet-stream
    First seen
    2012-11-17
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
  • c:\Documents and Settings\test user\Application Data\Icpe\tosow.exe
    Size
    138K
    SHA-1
    c57cecbd349d6556dadb08cbf5a95bab8a423c05
    MD5
    1e5029df3062fdc1238d418f63be61aa
    CRC-32
    a4700ce7
    File type
    application/x-ms-dos-executable
    First seen
    2012-11-17
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Virtual\XRegistry.tmp
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Native\STUBEXE\@APPDATA@\Icpe\tosow.exe
    Size
    17K
    SHA-1
    96f58c0df466d551ef068a626818f608595d02bf
    MD5
    f577f57b5f12f277b1d87106f7836cd7
    CRC-32
    40b42e77
    File type
    application/x-ms-dos-executable
    First seen
    2011-12-21
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Native\STUBEXE\@SYSTEM@\cmd.exe
    Size
    17K
    SHA-1
    44896ad95f9462690947a15b796a891c14af8ce2
    MD5
    84ced7e9bcc8fa554c6e89a0d8f7fdb4
    CRC-32
    dd6814cf
    File type
    application/x-ms-dos-executable
    First seen
    2012-01-22
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Higeeh
    Vyoqx
    □□□0□□P□□□f□□}□□□□□g□□I□□O□□□□□□□`□□□7□□□□□K□ □□`□□@7□@d□□□□□!□@K□□c□□□□@□□□□□□□□□□□@□□□□□□□□□□□□A□□0□PE□□□□□1□@□□□>□□□□P□□□□□□□□□□□□6□□l□ □□□!□ □□□□□□□□□4□□D□□G□□□□□□□`□□@u□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {B9BD555D-55DB-29AA-C758-B1E96AE4C954}
    "c:\Documents and Settings\test user\Application Data\Icpe\tosow.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000007
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    ea f0 a1 ee 1d c5 cd 01
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2011.12.13t07.13\native\stubexe\@appdata@\icpe\tosow.exe
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2011.12.13t07.13\native\stubexe\@system@\cmd.exe
HTTP Requests
  • http://80.82.64.71/~checking/launch/config.bin
IP Connections
  • 80.82.64.71:80

download Try Sophos products for free
Download now