Examples of Troj/Zbot-DZQ include:
Example 1
File Information
- Size
- 555K
- SHA-1
- 073f61cacbc342dd4238f73b5af2705a1706af3f
- MD5
- ceeeea1649ceed0fc3b3b71d789d866b
- CRC-32
- 40c3ecca
- File type
- Windows executable
- First seen
- 2013-02-22
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Application Data\Pyuz\rumue.ucs
- Size
- 477
- SHA-1
- f9af12b8c4b7ad901ccfaeed65295667fe047400
- MD5
- 71b760ce6c191882750ae7c18e1529b1
- CRC-32
- 2b16a3c6
- File type
- Unspecified binary - probably data
- First seen
- 2013-02-22
- c:\Documents and Settings\test user\Application Data\Evizc\ordy.exe
- Size
- 171K
- SHA-1
- 2f9f236a738f4f05645bfda30678747569d0838a
- MD5
- 1b166a1beadc9e5c7d6d0ca0c07c6b77
- CRC-32
- 6263b0bb
- File type
- Windows executable
- First seen
- 2013-02-22
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
- HKCU\Identities
- Identity Login
- 0x00098053
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Software\Microsoft\Efux
- Nubawiygm
- □(□0□□`□□P□□ □□□□□□n□p□□□□□□□□0\□□□□ □□P□□□□□pk□P□□□□□PS□`$□□H□p□□0□□0□□□□□□0□□□□p□□□□□p9□□□□□□□P□□□□□0z□□□□□a□P□□□□□@□□□□□□□□p□□□c□□□□p□□ □□□J□□□□ p□Pw□□□□P□□□□□□□□□(□□□□@□□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {C1D368D7-FCCA-1160-9A02-0E93DD2CCDCA}
- "c:\Documents and Settings\test user\Application Data\Evizc\ordy.exe"
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- 92 27 95 21 54 11 ce 01
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000008
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
Processes Created
- c:\Documents and Settings\test user\application data\evizc\ordy.exe
- c:\docume~1\support\locals~1\temp\bot1.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://www.google.bg/webhp
- http://www.google.com/webhp
- http://www.imfwesafrica.org/cross/cfg.bin
DNS Requests
- www.google.bg
- www.google.com
- www.imfwesafrica.org
Example 2
File Information
- Size
- 555K
- SHA-1
- 487c20872e2204e4ab2c799f163f64ab60abb79a
- MD5
- d43bc207d5e7f021a24b4dbe8ef8132c
- CRC-32
- c81d927e
- File type
- Windows executable
- First seen
- 2013-02-22
Example 3
File Information
- Size
- 171K
- SHA-1
- 84c14d41626ecafefb9e855b0dbb76370c089567
- MD5
- d4b358a7c9507a02b7f72301bace93c9
- CRC-32
- 1daf2d08
- File type
- Windows executable
- First seen
- 2013-02-22