Troj/Zbot-DMG

Category: Viruses and Spyware Protection available since:09 Jan 2013 06:42:20 (GMT)
Type: Trojan Last Updated:09 Jan 2013 06:42:20 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-DMG include:

Example 1

File Information

File type
Windows executable

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Isun\yhav.kae
    Size
    477
    SHA-1
    96785c1d060fe0218d8d37e4c09502f59d794e29
    MD5
    d27b38cbbb029e86f682074755b3565c
    CRC-32
    6c467e28
    File type
    Unspecified binary - probably data
    First seen
    2013-01-09
  • c:\Documents and Settings\test user\Application Data\Nacyiz\duova.exe
    Size
    549K
    SHA-1
    92aebd99d13b6254298802aeff6cd702918afec5
    MD5
    27179a8f5d73f37c86c811e628645804
    CRC-32
    a851601d
    File type
    Windows executable
    First seen
    2013-01-09
  • c:\Documents and Settings\test user\Application Data\Isun\yhav.tmp
    Size
    563
    SHA-1
    cbdc61d41b2a881e8310d5f4c8de5bc3d8baddd4
    MD5
    3c4824e04920657a03d1fae7f0ada952
    CRC-32
    64beeb85
    File type
    Unspecified binary - probably data
    First seen
    2013-01-09
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Piutg
    Bazeuno
    }□□ □□□□□□□□`k□Py□□□□□□□□/□□@□ □□□z□ D□□□□□&□ □□□<□□□□□R□p□□□□□□□□□□□@□□□□□□]□□□□□□□@s□□□□□□□p□□@k□□□□P□□`E□□D□□|□□□□□□□□□□□M□□□□@k□`□□□Q□□□□@#□□□□□v□□I□@p□□□□`□□□□□□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {FC4CAE76-26E9-5634-2129-729F76BC6121}
    "c:\Documents and Settings\test user\Application Data\Nacyiz\duova.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    20 6c b9 d2 1a ee cd 01
Processes Created
  • c:\Documents and Settings\test user\application data\nacyiz\duova.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://cqbx.org/slat/config.bin
DNS Requests
  • cqbx.org

Example 2

File Information

Size
549K
SHA-1
92aebd99d13b6254298802aeff6cd702918afec5
MD5
27179a8f5d73f37c86c811e628645804
CRC-32
a851601d
File type
Windows executable
First seen
2013-01-09

download Try Sophos products for free
Download now