Troj/Zbot-DDP

Category: Viruses and Spyware Protection available since:08 Dec 2012 21:42:21 (GMT)
Type: Trojan Last Updated:08 Dec 2012 21:42:21 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-DDP include:

Example 1

File Information

Size
309K
SHA-1
4e3d813d1e6b2a2ea8c0a596662baed0ba50ab8e
MD5
5145ce41b46e034e686d6419782d15a0
CRC-32
95ee18b9
File type
Windows executable
First seen
2012-12-08

Other vendor detection

Avira
TR/Dropper.Gen

Example 2

File Information

Size
309K
SHA-1
6f0f339743f6ebd835607b6cd15e9b11df08452b
MD5
e5801ec98c098c1b081f977f7c60ec22
CRC-32
8661b9fe
File type
Windows executable
First seen
2012-12-08

Other vendor detection

Avira
TR/Dropper.Gen

Runtime Analysis

Dropped Files
  • C:\debug.txt
  • c:\Documents and Settings\test user\Application Data\Roguaf\yrtiu.kog
    Size
    477
    SHA-1
    c03e92ea97171773099a3f00e50f5500740cda79
    MD5
    d47321889cff344e28ce0d91a355123a
    CRC-32
    dadde4c4
    File type
    OpenPGP/GPG encrypted file
    First seen
    2012-12-08
  • c:\Documents and Settings\test user\Application Data\Howaq\nedi.exe
    Size
    309K
    SHA-1
    4e3d813d1e6b2a2ea8c0a596662baed0ba50ab8e
    MD5
    5145ce41b46e034e686d6419782d15a0
    CRC-32
    95ee18b9
    File type
    Windows executable
    First seen
    2012-12-08
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Cyhyve
    Toox
    #M□@7□□A□□$□p□□0{□□□□□□□ □□□□□ □□□□□□\□□;□□K□□□□□□□□S□0□□`+□□□□□[□P□□□□□□X□ □□□□□□□□□□□□□□I□□V□□n□□8□0L□`□□□□□□k□□F□□□□□□□□□□p□□□□□□□□0b□□\□□□□pK□□□□p□□`□□@a□□~□□;□0□□0□□□□□
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {B8212D5A-1FAB-E895-82CF-4166EF570FE5}
    "c:\Documents and Settings\test user\Application Data\Howaq\nedi.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000007
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    40 b4 95 2d 53 d5 cd 01
Processes Created
  • c:\Documents and Settings\test user\application data\howaq\nedi.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://satoribeauty.co.uk/img/sato.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • satoribeauty.co.uk
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now