Troj/Zbot-DQR

Category: Viruses and Spyware Protection available since:22 Jan 2013 07:23:11 (GMT)
Type: Trojan Last Updated:22 Jan 2013 07:23:11 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-DQR exhibits the following characteristics:

File Information

Size
1.4M
SHA-1
11c780beed507a7782a97a5e789f46a318340104
MD5
e8fac8bc6a7b120f759e860996780386
CRC-32
46e6a13c
File type
Windows executable
First seen
2013-01-21

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Fyuvug\irnaa.opi
    Size
    477
    SHA-1
    e25abc8cafd7aff156d264213f75cc10b54d26ac
    MD5
    d53eed1bfe440e2aa428208c6e134d64
    CRC-32
    b282e848
    File type
    Unspecified binary - probably data
    First seen
    2013-01-22
  • c:\Documents and Settings\test user\Local Settings\Application Data\Spoon\Sandbox\1.0.0.0\local\stubexe\0xCF28318C611AD3E8\bot.exe
    Size
    17K
    SHA-1
    f91182d0f297da33c600b72c6cc240371bdca518
    MD5
    4f52f4c115f6a0c6d893a926122a95cf
    CRC-32
    4857ef1a
    File type
    Windows executable
    First seen
    2013-01-22
  • c:\Documents and Settings\test user\Application Data\Fyuvug\irnaa.tmp
    Size
    563
    SHA-1
    10843c0d54ad36aaa0f9dc1b03032316e579968e
    MD5
    47984fe92c930a7e3c6703f5bb4dac90
    CRC-32
    9f01a772
    File type
    Unspecified binary - probably data
    First seen
    2013-01-22
  • c:\Documents and Settings\test user\Local Settings\Application Data\Spoon\Sandbox\1.0.0.0\xsandbox.bin
    Size
    16
    SHA-1
    748532edeb86496c8efe5e2327501d89ec1f13df
    MD5
    ec3d19e8e9b05d025cb56c2a98ead8e7
    CRC-32
    52861c96
    File type
    Unspecified binary - probably data
    First seen
    2012-10-31
  • c:\Documents and Settings\test user\Application Data\Roget\ocbeu.exe
    Size
    139K
    SHA-1
    af0ab0232c72136d956605a0b782b45b1fdcd332
    MD5
    defd990976a7c28b9a4c2eed1981f0e7
    CRC-32
    14cafe6d
    File type
    Windows executable
    First seen
    2013-01-22
  • c:\Documents and Settings\test user\Local Settings\Temp\Order1.exe
    Size
    1.4M
    SHA-1
    b75d87cea41f428180eecc8958e6ad7915c90a79
    MD5
    802879fd625dae7bee902b1ac4495020
    CRC-32
    1c42ba1f
    File type
    Windows executable
    First seen
    2013-01-22
  • c:\Documents and Settings\test user\Local Settings\Application Data\Spoon\Sandbox\1.0.0.0\local\stubexe\0xCF28318C611AD3E8\ocbeu.exe
    Size
    17K
    SHA-1
    b4843ae722614ce52ef97e5a5541dde3fd5dd645
    MD5
    cbe20c33a0b1b33ab6c954e80cfdc9a9
    CRC-32
    4d0bb424
    File type
    Windows executable
    First seen
    2013-01-22
  • c:\Documents and Settings\test user\Local Settings\Application Data\Spoon\Sandbox\1.0.0.0\local\stubexe\0x5012597E1062D49C\cmd.exe
    Size
    17K
    SHA-1
    025d42c6d787d43ee6dc0f29a474bd84fca5985b
    MD5
    380a7529e05b0eb10f3ec8cd9ee01fd2
    CRC-32
    44369ced
    File type
    Windows executable
    First seen
    2013-01-22
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Weafd
    Numo
    □G□□□□ □□ □□ □□ ~□□u□□7□□□□□□□p□□`□□□□□p□□□□□ □□□□□□□□□a□□□□p-□□□□□|□ □□□□□p□□`□□□_□□□□P□□`□□□□□□□□□□□`□□□@□□□□□B□□z□p□□□r□□5□□□□0d□□□□□□□□□□□□□□'□□□□□~□ □□□□□□□□□□□□□□□J□□□□
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {B5900658-B683-C128-79C7-9C7C8F41D583}
    "c:\Documents and Settings\test user\Application Data\Roget\ocbeu.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    fe 34 95 84 40 f8 cd 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\spoon\sandbox\1.0.0.0\local\stubexe\0x5012597e1062d49c\cmd.exe
  • c:\Documents and Settings\test user\local settings\application data\spoon\sandbox\1.0.0.0\local\stubexe\0xcf28318c611ad3e8\bot.exe
  • c:\Documents and Settings\test user\local settings\application data\spoon\sandbox\1.0.0.0\local\stubexe\0xcf28318c611ad3e8\ocbeu.exe
  • c:\docume~1\support\locals~1\temp\order1.exe
HTTP Requests
  • http://thebenchesband.com/sinzu/cfg.bin
DNS Requests
  • thebenchesband.com

download Try Sophos products for free
Download now