Examples of Troj/Zbot-BXV include:
Example 1
File Information
- Size
- 196K
- SHA-1
- 3b085bfd11254747907ce25bcfb6d58dc4a19290
- MD5
- 8ceb3cdf5ed38d1fcbf3d58563af6c5c
- CRC-32
- 3997edc5
- File type
- Windows executable
- First seen
- 2012-04-03
Other vendor detection
- Avira
- TR/Crypt.XPACK.Gen
- Kaspersky
- Trojan-Downloader.Win32.Injecter.kpa
Runtime Analysis
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
- Name
- giuz.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- {62CA0015-299B-88DE-35DD-7D4CA0DADBD7}
- "c:\Documents and Settings\test user\Application Data\Idihnag\giuz.exe"
- HKCU\Software\Microsoft\Niaf
- Dugyxog
- □□□□□□□d□□□□□□□p!□@□□□C□□□□□□□□□□□P□□(□□?□□□□□□□@W□□□□@{□□□□□□□P□□`□□□□0@□@□□□□□□□□□□□p>□□□□□□□□□□□M□`□□□□□□Q□p□□□M□0□□□?□0 □□□□□r□P□□□□□0□□p□□□□□□□□□~□□□□0□□□E□□)□@□□ □□□□□
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Identities
- Identity Login
- 0x00098053
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
- ID
- 0x452dec33
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- ae 80 e4 0a 47 3a cd 01
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000006
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
Processes Created
- c:\Documents and Settings\test user\application data\idihnag\giuz.exe
HTTP Requests
- http://pantera-hd.ru/images/load.php
- http://www.google.ru/intl/ru/options
- http://www.google.ru/intl/ru/options/
DNS Requests
- pantera-hd.ru
- scaranio.com
- www.google.ru
Example 2
File Information
- Size
- 196K
- SHA-1
- 452c3e5f292651c5d5245b57bf2f91560d4da746
- MD5
- 53caeea6441504f8f3a462a6c6f58575
- CRC-32
- 275d9d23
- File type
- Windows executable
- First seen
- 2012-05-04
Other vendor detection
- Avira
- TR/Crypt.XPACK.Gen
- Kaspersky
- Trojan-Downloader.Win32.Injecter.kpa
Runtime Analysis
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
- Name
- test_item.exe
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
- ID
- 0x452dec33
Example 3
File Information
- Size
- 196K
- SHA-1
- 7b99f120e47c9371d806eee78d9497fb508f1f86
- MD5
- 2753a3b543b59eedaee25dbaec9fbe8a
- CRC-32
- cce04175
- File type
- Windows executable
- First seen
- 2012-04-06
Other vendor detection
- Avira
- TR/Crypt.XPACK.Gen
- Kaspersky
- Trojan-Downloader.Win32.Injecter.kpa
Runtime Analysis
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
- Name
- test_item.exe
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
- ID
- 0x452dec33