Troj/Zbot-DMN

Category: Viruses and Spyware Protection available since:09 Jan 2013 16:49:38 (GMT)
Type: Trojan Last Updated:09 Jan 2013 16:49:38 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-DMN exhibits the following characteristics:

File Information

Size
232K
SHA-1
b5d9741a0623d038b73a71a61845d62652d7dc8b
MD5
899ba4483f088fa433f0ff796707aa15
CRC-32
1135366e
File type
application/x-ms-dos-executable
First seen
2013-01-09

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Dih\ceapgov.uqp
    Size
    1.1K
    SHA-1
    e1ad882eb4fe478b016721d73ba21b7a15e7f0c8
    MD5
    2b3b5ec470c8bcf29b3595228553eef5
    CRC-32
    1ee26b40
    File type
    Unspecified binary - probably data
    First seen
    2013-01-09
  • c:\Documents and Settings\test user\Application Data\Igtomoa\yqemqo.exe
    Size
    232K
    SHA-1
    f164235caa175529f7a70bf29bdc41bff6472528
    MD5
    18d8c609c98affffd4c796f95b2e555e
    CRC-32
    4413cecf
    File type
    Windows executable
    First seen
    2013-01-09
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {F573C11E-4E93-EF17-0F28-319AC855546C}
    "c:\Documents and Settings\test user\Application Data\Igtomoa\yqemqo.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Software\Microsoft\Acsuy
    Erley
    □□□@□□□□□□□□p□□□□□□U□0g□P{□p>□p=□□j□□*□ g□□□□□□□□}□□□□□A□p□□□'□□□□@□□□□□□□□□d□□]□□C□P'□□W□□□□□□□□□□□6□□g□@&□ □□□.□`j□□□□□□□□□□□I□□□□P□□□/□□□□P□□□□□□□□p□□@8□□k□□L□□□□□j□□L□□6□
Registry Keys Modified
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    16 fa 50 0c 70 ee cd 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\igtomoa\yqemqo.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • avadmin.be

download Try Sophos products for free
Download now