Troj/Zbot-DMF

Category: Viruses and Spyware Protection available since:09 Jan 2013 06:42:20 (GMT)
Type: Trojan Last Updated:09 Jan 2013 06:42:20 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-DMF include:

Example 1

File Information

Size
313K
SHA-1
3f76bd300565e9dfda521f45e818133e211df780
MD5
5eb82f60ca4b768cffc8e89d96e2b6a9
CRC-32
c0817a04
File type
Windows executable
First seen
2013-01-09

Example 2

File Information

Size
313K
SHA-1
aa381c3b8a03efe4806df615581d8b47d4924a79
MD5
9c91800e1edf8352c3ca85cb8dccf137
CRC-32
5b690897
File type
Windows executable
First seen
2013-01-06

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Fyetky\ogdyi.exe
    Size
    313K
    SHA-1
    3f76bd300565e9dfda521f45e818133e211df780
    MD5
    5eb82f60ca4b768cffc8e89d96e2b6a9
    CRC-32
    c0817a04
    File type
    Windows executable
    First seen
    2013-01-09
  • c:\Documents and Settings\test user\Application Data\Geimh\peyfe.lui
    Size
    477
    SHA-1
    c9bfabb013b210a3de81157923fcc50e5b2b2f2b
    MD5
    97ff6d047bbaac456fdefa866ff0aa7b
    CRC-32
    473f3997
    File type
    Unspecified binary - probably data
    First seen
    2013-01-09
  • c:\Documents and Settings\test user\Application Data\Geimh\peyfe.tmp
    Size
    563
    SHA-1
    79390a496b8a36abe187a9d5fac6c19ef77fbd08
    MD5
    92163186c93973993c104ad694de01c0
    CRC-32
    043d9a16
    File type
    Unspecified binary - probably data
    First seen
    2013-01-09
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {972AB5A2-F13F-DAB0-630F-5C124CD2B1CC}
    "c:\Documents and Settings\test user\Application Data\Fyetky\ogdyi.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Obweq
    Isenqo
    G□□0□□`;□□□□□t□@□□□`□□R□P□□0□□□□□@□□P%□□Q□P□□□□□p□□□@□□□□□□□ M□`□□□N□□F□p+□□□□□□□ □□□Q□□□□p□□□□□□l□□□□□□□□□□□□□□□□□□□□a□□□□□!□P□□□□□□@□□2□□□□□R□□□□@□□□W□□q□□□□□□□□0□@□□□□□□□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    6a 8d 9b df 1a ee cd 01
Processes Created
  • c:\Documents and Settings\test user\application data\fyetky\ogdyi.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://simkorw.org/likes/config.bin
DNS Requests
  • simkorw.org

download Try Sophos products for free
Download now