Troj/Zbot-DKZ exhibits the following characteristics:
File Information
- Size
- 590K
- SHA-1
- 737b3005c53524878a3e0e4ec0772a9bc42fa80a
- MD5
- 553434214329610064f725edc2f86feb
- CRC-32
- fc4f7936
- File type
- application/x-ms-dos-executable
- First seen
- 2007-07-20
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Application Data\Azuzga\xeiz.nye
- c:\Documents and Settings\test user\Application Data\Huraox\ykliz.exe
- C:\debug.txt
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Software\Microsoft\Syosa
- Amnuh
- 48 06 64 59 13 5e 6b c2 19 11 82 53 12 bb b9 a0 72 2c 0d 0c f0 6c 8d 13 eb 87 8e f0 b0 e4 66 81 9f 6a 8b 53 0b 67 f1 4a 90 bf 1d 67 b0 3e 5b 0e 33 a8 37 b8 fa 61 f2 c4 9d a3 e5 b0 d9 d1 94 1f 2f f6 fb c7 2e 74 9b 0e c5 c0 17 4b a4 a3 21 c0 d4 50 9d 0f be 9a 87 17 45 49 98 af a1 fe 3f 55 69 72 bc 88 c7 bc 68 10 76 50 df 97 9c 09 dc b6 1a 4c 9f 4e 72 a9 d9 14 87 a8 65 48 7a 89 1b 2a 4e 90 a3 24 4f c3 fb aa 4d cd ef be 19 93 91 d9 c1 3a 42 0a fc 93 47 45 ac ea 16 fe 23 c9 e6 39 ed 5e bf c1 85 1b 06 aa b1 ca 79 f4 2a 32 42 01 12 b5 b9 05 1c 67 b5 7c 74 d1 40 ae 60 0f 68 b4 f2 a0 c6 e4 ee 45 48 a8 2b 80 09 fb aa f9 84 99 1f 5e cc 62 55 1f e4 78 33 1a fc bc a4 41 9d 20 a5 8d 72 c3 2d fe e0 4c 0c 92 6c d3 cc 2a ee e9 06 6e 3b 98 5b 63 4f 22 7a 6d 7f f3 26 4f ae 1d [... 151083 intervening characters ...] c3 e7 2d 34 a7 9b da c0 ae 63 3b 0a 35 6b 6f cb 07 e6 c9 88 67 4e 9a 7b 22 a4 e1 2b 17 03 3e 4b 96 13 0c fb 8c 64 05 a5 67 53 a3 09 8e 97 11 9f ea eb ee 44 55 4b 95 c0 d1 7f df 05 89 af d7 32
- HKCU\Software\WinRAR SFX
- C%%DOCUME~1%support%LOCALS~1%Temp
- C:\DOCUME~1\support\LOCALS~1\Temp
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {1479C186-DD31-700D-B083-F5FDD3D0299E}
- "c:\Documents and Settings\test user\Application Data\Huraox\ykliz.exe"
- HKCU\Identities
- Identity Login
- 0x00098053
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- 6e c6 28 7f e6 ea cd 01
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000008
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
Processes Created
- c:\Documents and Settings\test user\application data\huraox\ykliz.exe
- c:\docume~1\support\locals~1\temp\basi.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://basilbistro.ro/tmp/basi.bin
- http://www.google.bg/webhp
- http://www.google.com/webhp
DNS Requests
- basilbistro.ro
- www.google.bg
- www.google.com