Troj/Zbot-DCP

Category: Viruses and Spyware Protection available since:27 Nov 2012 07:11:43 (GMT)
Type: Trojan Last Updated:27 Nov 2012 07:11:43 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-DCP include:

Example 1

File Information

Size
657K
SHA-1
5effef08eb695da4a63c2fbc94287b9ed9dae970
MD5
bbb034465fe66d1dfd2884e6bbab26ff
CRC-32
52cfe057
File type
Windows executable
First seen
2012-11-27

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Davut\yfgu.exe
    Size
    657K
    SHA-1
    fb35a0a0cf95cb2534da2beeb79fc67c228a2877
    MD5
    002fb1eb9bac7dd2df48c6e046f23e50
    CRC-32
    dbbea01c
    File type
    Windows executable
    First seen
    2012-11-27
  • c:\Documents and Settings\test user\Application Data\Owax\irofm.tmp
    Size
    315
    SHA-1
    ec429ffbe7138191ec02debce41f432e4f395556
    MD5
    09b3ca48ea39e76e46e31fd11d744d17
    CRC-32
    8fa31387
    File type
    Unspecified binary - probably data
    First seen
    2012-11-27
  • c:\Documents and Settings\test user\Application Data\Owax\irofm.tin
    Size
    477
    SHA-1
    077625a2c03d76d0176729661dc9104b8c6d95eb
    MD5
    4be938a6012f99aab87561d4e013fd7e
    CRC-32
    20bacd13
    File type
    Unspecified binary - probably data
    First seen
    2012-11-27
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Xayg
    Ykroxeab
    □□□0□□□w□`Y□□G□□/□ □□ □□□□□`q□□B□0□□□X□0o□□□□□□□□]□□□□0□□□G□P,□□□□ □□□□□□~□□□□□□□□□□`L□□x□□R□□□□□□□ ;□□g□@@□`S□p6□`q□p□□ □□0□□□□□p□□□□□□J□`□□□□□□'□ d□□|□`□□□E□pD□□V□□N□□□□□□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D589C9C7-DDDC-6D6A-5B45-9AC8F8BCC2A8}
    "c:\Documents and Settings\test user\Application Data\Davut\yfgu.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    9c 80 c6 a5 4e cc cd 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000007
Processes Created
  • c:\Documents and Settings\test user\application data\davut\yfgu.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://hosters.ld.vg/alpha/config.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • hosters.ld.vg
  • www.google.bg
  • www.google.com

Example 2

File Information

Size
657K
SHA-1
fb35a0a0cf95cb2534da2beeb79fc67c228a2877
MD5
002fb1eb9bac7dd2df48c6e046f23e50
CRC-32
dbbea01c
File type
Windows executable
First seen
2012-11-27

download Try Sophos products for free
Download now