Troj/Zbot-CSQ

Category:	Viruses and Spyware	Protection available since:	09 Oct 2012 14:40:50 (GMT)
Type:	Trojan	Last Updated:	09 Oct 2012 14:40:50 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-CSQ exhibits the following characteristics:

File Information

Size: 989K
SHA-1: 9deb01979633433a8393dd442cefa0f8dddeba02
MD5: bf65560221abecb90d99bea78d492872
CRC-32: 64676cbd
File type: Windows executable
First seen: 2012-10-09

Other vendor detection

Kaspersky: Trojan-Spy.Win32.Zbot.bopd

Runtime Analysis

Dropped Files

c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Native\STUBEXE\@APPDATA@\Ifypda\ulwyg.exe
Size
17K
SHA-1
6c1904627b5f01175b21fe00cdcdc8cd930f25aa
MD5
44b497802b8b870edc4354e518d8b3ad
CRC-32
03fee74b
File type
Windows executable
First seen
2012-10-09
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
c:\Documents and Settings\test user\Application Data\Qyboo\kyfaa.uhu
Size
477
SHA-1
ea46e9e6436f652392fe8ebb3c6130186165b642
MD5
d93328450e06af71c3726da97b76856c
CRC-32
5e4f2148
File type
Unspecified binary - probably data
First seen
2012-10-09
c:\Documents and Settings\test user\Application Data\Ifypda\ulwyg.exe
Size
138K
SHA-1
652c884f5f3bf11d5889675030f60c676caaae74
MD5
f08b9d25139c141df9e8d349d8db20de
CRC-32
1b42387b
File type
Windows executable
First seen
2012-10-09
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Native\STUBEXE\@APPDATA@\Ifypda\ulwyg.exe
Size
17K
SHA-1
8c05a11c8c4b3fbf5981b21ab99313b77c605bb2
MD5
c928d61c0ce0ecc5b02db29041c0413b
CRC-32
fba0f4eb
File type
Windows executable
First seen
2012-10-09
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Virtual\XRegistry.tmp
c:\Documents and Settings\test user\Local Settings\Temp\list1.exe
Size
604K
SHA-1
0f713c31f43b69c4a20f07f52431621d7259f181
MD5
683e8f8e24bad86e8911467080bd4110
CRC-32
c3b66d88
File type
Windows executable
First seen
2012-10-09
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Virtual\XRegistry.tmp
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Native\STUBEXE\@SYSTEM@\cmd.exe
Size
17K
SHA-1
67d9f26611c88f11cd76229c34ad7f01f014a189
MD5
cae28786ce36131ee3d353de92620e5c
CRC-32
9e22ddf3
File type
Windows executable
First seen
2012-10-09
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.54\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
c:\Documents and Settings\test user\Application Data\Qyboo\kyfaa.tmp
Size
315
SHA-1
2ca7217f7dba1291feda6788f16aa318f07a0e09
MD5
4c3d5617584010a72cde173c6b75facc
CRC-32
f80096e9
File type
Unspecified binary - probably data
First seen
2012-10-09
c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.08T14.49\Native\STUBEXE\@SYSTEM@\cmd.exe
Size
17K
SHA-1
2a350722003c447deca359a8c6089b394bab8344
MD5
fd95f32e858349271d3025b90455d77b
CRC-32
667cce53
File type
Windows executable
First seen
2012-10-09

Modified Files

%PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
%PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
%PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx

Registry Keys Created

HKCU\Software\Microsoft\Internet Explorer\Privacy
CleanCookies
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
{D589C9C7-DDDC-6D6A-5B45-9AC8F8BCC2A8}
"c:\Documents and Settings\test user\Application Data\Ifypda\ulwyg.exe"
HKCU\Software\Microsoft\Yfudw
Zauko
□P□ □□□□□`□□□C□□□□0□□□□□@W□□□□□_□□□□□o□`□□0□□□@□□!□□□□ ~□□w□@□□`□□`□□p□□ n□0□□□4□`H□ □□□3□□□□□m□□□□□□□□p□□□□P4□□%□□M□□□□□S□□0□□B□□□□□□□□□□□□□□□□`H□□+□□□□@□□p□□□□□□□□□□□□□□□□□
HKCU\Identities
Identity Login
0x00098053

Registry Keys Modified

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1609
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0x00000000
HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
Compact Check Count
0x00000007
HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
TimeStamp
06 9e 17 7e fb a5 cd 01
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1609
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1609
0x00000000

Processes Created

c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.10.08t14.54\native\stubexe\@appdatalocal@\xenocode\sandbox\1.0.0.0\2012.10.08t14.49\native\stubexe\@appdata@\ifypda\ulwyg.exe
c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.10.08t14.54\native\stubexe\@appdatalocal@\xenocode\sandbox\1.0.0.0\2012.10.08t14.49\native\stubexe\@system@\cmd.exe
c:\docume~1\support\locals~1\temp\list1.exe

HTTP Requests

http://locusty.com/ckan/config.bin

DNS Requests

locusty.com

Try Sophos products for free
Download now

Security Goals

INDUSTRIES & SECTORS

COMPANY SIZE

PRODUCT FEATURES

CASE STUDIES

Company Overview

Our People

INNOVATIVE TECHNOLOGY

ALERT SERVICES

Product Features

Product Families

Complete Security

PRODUCTS BY NAME

Free Tools

Next Steps

RESOURCES

FIND AN ANSWER

Support by Product

Maintain your Product

Hire an Expert

WHAT'S POPULAR

THREAT ANALYSIS

THREAT STATISTICS

WHAT'S POPULAR

Threat Definitions

THREAT MONITORING

SECURITY HUBS

LIBRARY

Whats Popular

WHAT'S NEW

Community

IT SECURITY TRAINING

ANATOMY OF AN ATTACK

RESELLER PARTNERS

Managed Service Providers

SYSTEM INTEGRATORS

OEM and Technology

WHAT'S POPULAR

Troj/Zbot-CSQ

File Information

Other vendor detection

Runtime Analysis

Dropped Files

Modified Files

Registry Keys Created

Registry Keys Modified

Processes Created

HTTP Requests

DNS Requests

Free Mac Anti-Virus

Popular topics