Troj/Zbot-DXM

Category: Viruses and Spyware Protection available since:16 Feb 2013 05:33:52 (GMT)
Type: Trojan Last Updated:16 Feb 2013 05:33:52 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-DXM exhibits the following characteristics:

File Information

Size
603K
SHA-1
27d443ce977d3e60230b05b91fddacbfc19ded66
MD5
af223c2fc65199612505f378a2d6ccd4
CRC-32
5da583e7
File type
Windows executable
First seen
2013-01-05

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Ozab\qafes.exe
    Size
    229K
    SHA-1
    6d4f8a33880290b740c76553d248bc6adc3a58f1
    MD5
    35389fb4274e2cbdfea399a552182bbc
    CRC-32
    7338dbc9
    File type
    Windows executable
    First seen
    2013-02-15
  • c:\Documents and Settings\test user\Application Data\Urxy\ovawf.tmp
    Size
    563
    SHA-1
    79f51d6459e4d9021c034017b6591b5679f34cf8
    MD5
    e47b531095b43e41c4114bee9660f5d6
    CRC-32
    cc418ab5
    File type
    Unspecified binary - probably data
    First seen
    2013-02-15
  • c:\Documents and Settings\test user\Application Data\Urxy\ovawf.ote
    Size
    477
    SHA-1
    0484af49fc5993ad1275c5b154705ae02b2a8733
    MD5
    d8b59d2b83668891c04a4b5cabaadcf5
    CRC-32
    5d3972f6
    File type
    Unspecified binary - probably data
    First seen
    2013-02-15
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Zygo
    Wisayxyz
    □□□pJ□□□□□}□□□□□Z□ □□ □□□□□p□□P□□□□□□□□0A□□□□P□□□g□p?□0i□□Y□□L□P□□p□□`<□□□□□□□0a□□□□□□□□□□□□□p□□□□□□Q□□\□□□□0□□□$□P□□□□□□□□P□□□□□□u□`□□□□□□□□□j□□&□□□□□`□□?□□@□□r□□□□□□□p(□0□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {9CAD8250-8B3E-0DFB-1D58-336E6DA87918}
    "c:\Documents and Settings\test user\Application Data\Ozab\qafes.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    08 63 b1 24 b1 0b ce 01
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\ozab\qafes.exe
  • c:\docume~1\support\locals~1\temp\dipo.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://my-click.org/dipo/cfg.bin
DNS Requests
  • my-click.org

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information