Troj/Zbot-DTY

Category: Viruses and Spyware Protection available since:01 Feb 2013 03:06:00 (GMT)
Type: Trojan Last Updated:01 Feb 2013 03:06:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-DTY include:

Example 1

File Information

Size
172K
SHA-1
6a510236ab7825a4eba9f6afc6b4d7a8d8b02f4f
MD5
5a0df2492d10d3fd6e596d2303a93710
CRC-32
2b26187b
File type
Windows executable
First seen
2013-01-31

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Hiuspu\iwzyq.oxe
    Size
    477
    SHA-1
    0a5edf73466af1a0795f422197f438a6890a6aab
    MD5
    7bf67c370eb84035135cf4245f6f9e5c
    CRC-32
    3afa4768
    File type
    Unspecified binary - probably data
    First seen
    2013-01-31
  • c:\Documents and Settings\test user\Application Data\Hiuspu\iwzyq.tmp
    Size
    563
    SHA-1
    03e5732c26fc57aff5e72d6fca7e8798f4b7f6c2
    MD5
    0eaf1773c69b55f00524fd4e2069f186
    CRC-32
    cc78e241
    File type
    Unspecified binary - probably data
    First seen
    2013-01-31
  • c:\Documents and Settings\test user\Application Data\Omhiz\bycet.exe
    Size
    172K
    SHA-1
    cb2cbd2dd44c090d1e534c07fbb014889dca3156
    MD5
    17b5c4d2f5b5bca662ca38a9ca6f8562
    CRC-32
    fc4a655f
    File type
    Windows executable
    First seen
    2013-01-31
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Onbivu
    Gyovabos
    □i□@□□0□□□□□□<□0C□□□□0□□□r□□□□□?□□□□□i□0□□`□□P/□□□□□□□□□□□2□□m□□N□□□□□□□□-□p□□p□□pc□□□□□M□p□□□|□□□□`□□p□□□□□□□□□□□□□□□s□`O□□a□`:□□□□□□□□w□□*□□□□0□□@□□□I□□□□□□□□6□0=□□□□□=□□F□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {A01CA728-1BE4-DDFE-913F-A1D353901F89}
    "c:\Documents and Settings\test user\Application Data\Omhiz\bycet.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    aa bb 66 05 d2 ff cd 01
Processes Created
  • c:\Documents and Settings\test user\application data\omhiz\bycet.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://www.carnesviba.com/ja/images/te.bin
  • http://www.google.com/webhp
IP Connections
  • 168.144.170.216:80
DNS Requests
  • www.carnesviba.com
  • www.google.com

Example 2

File Information

Size
108K
SHA-1
74957f10e1599a2a232fd5b2b7503eb3b59e1f22
MD5
7809d9cce6338fe4481b77291667c80b
CRC-32
ea4df54d
File type
Windows executable
First seen
2013-01-31

Example 3

File Information

Size
172K
SHA-1
cb2cbd2dd44c090d1e534c07fbb014889dca3156
MD5
17b5c4d2f5b5bca662ca38a9ca6f8562
CRC-32
fc4a655f
File type
Windows executable
First seen
2013-01-31

download Try Sophos products for free
Download now