Troj/Zbot-DQU

Category: Viruses and Spyware Protection available since:22 Jan 2013 10:55:30 (GMT)
Type: Trojan Last Updated:22 Jan 2013 10:55:30 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-DQU include:

Example 1

File Information

Size
233K
SHA-1
9678779735b8f62b1d5301eed050bc1d87bb4056
MD5
309ffdc7acc0a2720245a30bae2e27f7
CRC-32
aa330764
File type
Windows executable
First seen
2013-01-22

Example 2

File Information

Size
233K
SHA-1
dfbfcebf5247ddcb7ad381f23437e5b2118973d5
MD5
f8cb6e81c21dee8326fbe9a709186f91
CRC-32
b74fa4e2
File type
Windows executable
First seen
2013-01-22

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Ypteu\cubui.xuu
    Size
    477
    SHA-1
    15b4ec10a4a5d3de7c718a2cecdafe37c404b035
    MD5
    38af4a183ca4019ed1f92193ff5f35ec
    CRC-32
    967255a3
    File type
    Unspecified binary - probably data
    First seen
    2013-01-22
  • c:\Documents and Settings\test user\Application Data\Bayrur\teykb.exe
    Size
    233K
    SHA-1
    9678779735b8f62b1d5301eed050bc1d87bb4056
    MD5
    309ffdc7acc0a2720245a30bae2e27f7
    CRC-32
    aa330764
    File type
    Windows executable
    First seen
    2013-01-22
  • C:\debug.txt
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {35E1E527-A0F0-61E1-6B2C-F11F25B8B73B}
    "c:\Documents and Settings\test user\Application Data\Bayrur\teykb.exe"
  • HKCU\Software\Microsoft\Fiaw
    Oqbo
    C%□`□□□N□□□□□.□□□□□□□□□□p□□□□□P}□p□□0Z□□□□□□□□^□□H□□e□□□□ ,□□L□□□□□0□□□□□□□□□□P□□□□□□T□□&□□□□ □□0□□PG□□@□p□□□□□Pc□ %□□a□p□□□□□□"□`□□0/□□D□0□□□□□□P□0 □0□□□□□@□□p□□p□□□□□□□□P□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    52 4b 60 81 68 f8 cd 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\bayrur\teykb.exe
  • c:\docume~1\support\locals~1\temp\jybvmffplwzn.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://bizfoster.com/images/DB/config.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • bizfoster.com
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now