Troj/Zbot-DSK

Category: Viruses and Spyware Protection available since:27 Jan 2013 14:49:35 (GMT)
Type: Trojan Last Updated:27 Jan 2013 14:49:35 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-DSK exhibits the following characteristics:

File Information

Size
412K
SHA-1
f4a1ec563d1d8732bfa7a13e96d7f72c273c56ef
MD5
ea8ac3d20ca0cc289d2f69209684b0f0
CRC-32
c386241c
File type
Windows executable
First seen
2013-01-26

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Ydys\yhigxo.ilt
    Size
    477
    SHA-1
    af45326216e65ac1fe7f7e669b854601928acb2a
    MD5
    995b88ddd7fd19022bc0ded0521f8e03
    CRC-32
    93c75022
    File type
    Unspecified binary - probably data
    First seen
    2013-01-27
  • c:\Documents and Settings\test user\Application Data\Iwy\zazymi.exe
    Size
    412K
    SHA-1
    9b78036a4520a62a76792bdbfb6336b6c45cd1c7
    MD5
    68334458a3e651dbd31ace176b9219e6
    CRC-32
    10bd59bf
    File type
    Windows executable
    First seen
    2013-01-27
  • c:\Documents and Settings\test user\Application Data\Ydys\yhigxo.tmp
    Size
    563
    SHA-1
    83e32a49b2bd2462b48755c482ee39614838af3e
    MD5
    434c1eadae6d5e82fa01d081cb7cd971
    CRC-32
    07dcf821
    File type
    Unspecified binary - probably data
    First seen
    2013-01-27
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Vuik
    Anbedehe
    )h□□□□@□□□□□□□□□□□□□□0□□□□□□□□P□□`□□P□□□□□□4□□□□□□□□#□□□□□□□□w□0□□P□□0□□0□□@Z□□□□`□□@□□□□□0□□@7□□□□□□□`&□P|□0q□□□□□□□`,□□□□0□□ □□@□□@□□□z□□□□p\□□r□□□□ P□□□□`□□□□□0□□□□□□□□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {FD61411B-E17C-225B-0E8B-B323D864978E}
    "c:\Documents and Settings\test user\Application Data\Iwy\zazymi.exe"
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    da 94 10 47 6d fc cd 01
Processes Created
  • c:\Documents and Settings\test user\application data\iwy\zazymi.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • www.trenddzu.me

download Try Sophos products for free
Download now