Troj/Zbot-CSQ

Category: Viruses and Spyware Protection available since:09 Oct 2012 14:40:50 (GMT)
Type: Trojan Last Updated:09 Oct 2012 14:40:50 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-CSQ exhibits the following characteristics:

File Information

Size
989K
SHA-1
9deb01979633433a8393dd442cefa0f8dddeba02
MD5
bf65560221abecb90d99bea78d492872
CRC-32
64676cbd
File type
Windows executable
First seen
2012-10-09

Other vendor detection

Kaspersky
Trojan-Spy.Win32.Zbot.bopd

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Native\STUBEXE\@APPDATA@\Ifypda\ulwyg.exe
    Size
    17K
    SHA-1
    6c1904627b5f01175b21fe00cdcdc8cd930f25aa
    MD5
    44b497802b8b870edc4354e518d8b3ad
    CRC-32
    03fee74b
    File type
    Windows executable
    First seen
    2012-10-09
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
  • c:\Documents and Settings\test user\Application Data\Qyboo\kyfaa.uhu
    Size
    477
    SHA-1
    ea46e9e6436f652392fe8ebb3c6130186165b642
    MD5
    d93328450e06af71c3726da97b76856c
    CRC-32
    5e4f2148
    File type
    Unspecified binary - probably data
    First seen
    2012-10-09
  • c:\Documents and Settings\test user\Application Data\Ifypda\ulwyg.exe
    Size
    138K
    SHA-1
    652c884f5f3bf11d5889675030f60c676caaae74
    MD5
    f08b9d25139c141df9e8d349d8db20de
    CRC-32
    1b42387b
    File type
    Windows executable
    First seen
    2012-10-09
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Native\STUBEXE\@APPDATA@\Ifypda\ulwyg.exe
    Size
    17K
    SHA-1
    8c05a11c8c4b3fbf5981b21ab99313b77c605bb2
    MD5
    c928d61c0ce0ecc5b02db29041c0413b
    CRC-32
    fba0f4eb
    File type
    Windows executable
    First seen
    2012-10-09
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Virtual\XRegistry.tmp
  • c:\Documents and Settings\test user\Local Settings\Temp\list1.exe
    Size
    604K
    SHA-1
    0f713c31f43b69c4a20f07f52431621d7259f181
    MD5
    683e8f8e24bad86e8911467080bd4110
    CRC-32
    c3b66d88
    File type
    Windows executable
    First seen
    2012-10-09
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Virtual\XRegistry.tmp
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Native\STUBEXE\@SYSTEM@\cmd.exe
    Size
    17K
    SHA-1
    67d9f26611c88f11cd76229c34ad7f01f014a189
    MD5
    cae28786ce36131ee3d353de92620e5c
    CRC-32
    9e22ddf3
    File type
    Windows executable
    First seen
    2012-10-09
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
  • c:\Documents and Settings\test user\Application Data\Qyboo\kyfaa.tmp
    Size
    315
    SHA-1
    2ca7217f7dba1291feda6788f16aa318f07a0e09
    MD5
    4c3d5617584010a72cde173c6b75facc
    CRC-32
    f80096e9
    File type
    Unspecified binary - probably data
    First seen
    2012-10-09
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Native\STUBEXE\@SYSTEM@\cmd.exe
    Size
    17K
    SHA-1
    2a350722003c447deca359a8c6089b394bab8344
    MD5
    fd95f32e858349271d3025b90455d77b
    CRC-32
    667cce53
    File type
    Windows executable
    First seen
    2012-10-09
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D589C9C7-DDDC-6D6A-5B45-9AC8F8BCC2A8}
    "c:\Documents and Settings\test user\Application Data\Ifypda\ulwyg.exe"
  • HKCU\Software\Microsoft\Yfudw
    Zauko
    □P□ □□□□□`□□□C□□□□0□□□□□@W□□□□□_□□□□□o□`□□0□□□@□□!□□□□ ~□□w□@□□`□□`□□p□□ n□0□□□4□`H□ □□□3□□□□□m□□□□□□□□p□□□□P4□□%□□M□□□□□S□□0□□B□□□□□□□□□□□□□□□□`H□□+□□□□@□□p□□□□□□□□□□□□□□□□□
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000007
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    06 9e 17 7e fb a5 cd 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.10.08t14.54\native\stubexe\@appdatalocal@\xenocode\sandbox\1.0.0.0\2012.10.08t14.49\native\stubexe\@appdata@\ifypda\ulwyg.exe
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.10.08t14.54\native\stubexe\@appdatalocal@\xenocode\sandbox\1.0.0.0\2012.10.08t14.49\native\stubexe\@system@\cmd.exe
  • c:\docume~1\support\locals~1\temp\list1.exe
HTTP Requests
  • http://locusty.com/ckan/config.bin
DNS Requests
  • locusty.com

download Try Sophos products for free
Download now