Troj/Zbot-DKZ

Category: Viruses and Spyware Protection available since:05 Jan 2013 05:08:20 (GMT)
Type: Trojan Last Updated:05 Jan 2013 05:08:20 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-DKZ exhibits the following characteristics:

File Information

Size
590K
SHA-1
737b3005c53524878a3e0e4ec0772a9bc42fa80a
MD5
553434214329610064f725edc2f86feb
CRC-32
fc4f7936
File type
application/x-ms-dos-executable
First seen
2007-07-20

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Azuzga\xeiz.nye
  • c:\Documents and Settings\test user\Application Data\Huraox\ykliz.exe
  • C:\debug.txt
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Syosa
    Amnuh
    48 06 64 59 13 5e 6b c2 19 11 82 53 12 bb b9 a0 72 2c 0d 0c f0 6c 8d 13 eb 87 8e f0 b0 e4 66 81 9f 6a 8b 53 0b 67 f1 4a 90 bf 1d 67 b0 3e 5b 0e 33 a8 37 b8 fa 61 f2 c4 9d a3 e5 b0 d9 d1 94 1f 2f f6 fb c7 2e 74 9b 0e c5 c0 17 4b a4 a3 21 c0 d4 50 9d 0f be 9a 87 17 45 49 98 af a1 fe 3f 55 69 72 bc 88 c7 bc 68 10 76 50 df 97 9c 09 dc b6 1a 4c 9f 4e 72 a9 d9 14 87 a8 65 48 7a 89 1b 2a 4e 90 a3 24 4f c3 fb aa 4d cd ef be 19 93 91 d9 c1 3a 42 0a fc 93 47 45 ac ea 16 fe 23 c9 e6 39 ed 5e bf c1 85 1b 06 aa b1 ca 79 f4 2a 32 42 01 12 b5 b9 05 1c 67 b5 7c 74 d1 40 ae 60 0f 68 b4 f2 a0 c6 e4 ee 45 48 a8 2b 80 09 fb aa f9 84 99 1f 5e cc 62 55 1f e4 78 33 1a fc bc a4 41 9d 20 a5 8d 72 c3 2d fe e0 4c 0c 92 6c d3 cc 2a ee e9 06 6e 3b 98 5b 63 4f 22 7a 6d 7f f3 26 4f ae 1d [... 151083 intervening characters ...] c3 e7 2d 34 a7 9b da c0 ae 63 3b 0a 35 6b 6f cb 07 e6 c9 88 67 4e 9a 7b 22 a4 e1 2b 17 03 3e 4b 96 13 0c fb 8c 64 05 a5 67 53 a3 09 8e 97 11 9f ea eb ee 44 55 4b 95 c0 d1 7f df 05 89 af d7 32
  • HKCU\Software\WinRAR SFX
    C%%DOCUME~1%support%LOCALS~1%Temp
    C:\DOCUME~1\support\LOCALS~1\Temp
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {1479C186-DD31-700D-B083-F5FDD3D0299E}
    "c:\Documents and Settings\test user\Application Data\Huraox\ykliz.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    6e c6 28 7f e6 ea cd 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\huraox\ykliz.exe
  • c:\docume~1\support\locals~1\temp\basi.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://basilbistro.ro/tmp/basi.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • basilbistro.ro
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now