Troj/Zbot-DMB

Category: Viruses and Spyware Protection available since:02 Feb 2013 13:14:14 (GMT)
Type: Trojan Last Updated:02 Feb 2013 13:14:14 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-DMB include:

Example 1

File Information

Size
165K
SHA-1
11ed277d8ce4d4d139c871b89a95ade7555ba3eb
MD5
f0d0c924ef3bcfa357853c4744785635
CRC-32
abf03e9f
File type
Windows executable
First seen
2013-02-02

Example 2

File Information

Size
551K
SHA-1
9cc38cb099cf4fa1fd1a99e2a58524d26e0672e7
MD5
ebd9c2f7ea857f895d954d778d34802d
CRC-32
a2ee0c63
File type
Windows executable
First seen
2013-02-02

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Liisma\ipmiu.teu
    Size
    477
    SHA-1
    1879a386f2c990d1992683756ca8a19a1f35be3c
    MD5
    bd0b8731440cbf4f437abf48f4eccac4
    CRC-32
    37d65d14
    File type
    Unspecified binary - probably data
    First seen
    2013-02-02
  • c:\Documents and Settings\test user\Application Data\Ryun\tamay.exe
    Size
    165K
    SHA-1
    423b7b3a919392aa93db81995a0a4e74d7c8c198
    MD5
    913953bdf6309c0a367e270afdcf0421
    CRC-32
    2f5db842
    File type
    Windows executable
    First seen
    2013-02-02
  • c:\Documents and Settings\test user\Application Data\gmon.out
    Size
    4.1K
    SHA-1
    5f983505c9da2490cb9ac35cf2921802da306f85
    MD5
    fda481ce03aa599726b4b3be094ef3e9
    CRC-32
    5859f5b6
    File type
    Unspecified binary - probably data
    First seen
    2013-02-02
  • c:\Documents and Settings\test user\Local Settings\Temp\gmon.out
    Size
    4.1K
    SHA-1
    f73b17a53409ae47fd018832df823b21369b8367
    MD5
    1b23b9acd8d6df5ba53cbb8eb8fd3249
    CRC-32
    c133d24a
    File type
    Unspecified binary - probably data
    First seen
    2013-02-02
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Vuqek
    Ryuc
    □l□□0□0□□□C□@□□F□□□□P□□□I□□□□□□□□B□□□□□□□ □□□□□□(□@□□0□□p□□0□□p□□□ □□□□□□□□□□ □□□□□□□□□□□`^□□□□□L□0□□□}□`K□□□□□□□ □□□□□□□□□□□□-□□6□0Q□p□□P□□□□□□t□□□□□]□□M□□i□0d□□□□p□□@□□□%□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {B5900658-B683-C128-79C7-9C7C8F41D583}
    "c:\Documents and Settings\test user\Application Data\Ryun\tamay.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    8e 3b fb 58 fd 00 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\ryun\tamay.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://l-cx.org/vices/cfg.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • l-cx.org
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now