Troj/Zbot-DYO

Category: Viruses and Spyware Protection available since:20 Feb 2013 00:44:20 (GMT)
Type: Trojan Last Updated:20 Feb 2013 00:44:20 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-DYO include:

Example 1

File Information

Size
978K
SHA-1
3db216fa6ef7caff2c28e661ef35ee7a9ab133bf
MD5
8f610cb80a705f15b688d76793fb2564
CRC-32
7d77931c
File type
RAR compressed archive
First seen
2013-02-19

Example 2

File Information

Size
1.1M
SHA-1
656fec2c21b1760f997e28a1a756670dbf104ca5
MD5
0e654b9c75f815af02641daf7c51db80
CRC-32
3600518e
File type
Windows executable
First seen
2013-02-19

Example 3

File Information

Size
1.1M
SHA-1
fb867f5e65725e86e81ea938a240c72eac1b05d7
MD5
6bcecb0e61bb5f755c591591fd5e8fda
CRC-32
7df2f5a4
File type
Windows executable
First seen
2013-02-19

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Ruax\yfuq.ola
    Size
    477
    SHA-1
    4d0b4f157904a4eaabf6c319a1aeaa6feb83f142
    MD5
    90a153390dc6a231ca5d7676ed9a0714
    CRC-32
    94210dd9
    File type
    Unspecified binary - probably data
    First seen
    2013-02-19
  • c:\Documents and Settings\test user\Application Data\Awwu\paacb.exe
    Size
    1.1M
    SHA-1
    656fec2c21b1760f997e28a1a756670dbf104ca5
    MD5
    0e654b9c75f815af02641daf7c51db80
    CRC-32
    3600518e
    File type
    Windows executable
    First seen
    2013-02-19
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Eqnac
    Esdudoo
    □□□□□□@~□□□□□□□□□□□□□□d□pY□□□□P□□□□□0E□`□□`□□p^□□F□□□□P□□ □□□□□□?□□&□□□□□□□ □□p□□0@□□□□p□□□□□□□□□□□Pu□`C□□□□□□□p□□□b□`=□`□□□M□`□□□□□@j□ e□ □□□□□□7□`7□p=□P□□□□□ 5□P□□□n□PE□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D8BE4E36-E525-CAE7-D392-C0B79C6D7952}
    "c:\Documents and Settings\test user\Application Data\Awwu\paacb.exe"
Registry Keys Modified
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    56 df b6 ff df 0e ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\awwu\paacb.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://tmaleri.se/made/kr8.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • tmaleri.se
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now