Troj/Zbot-DZU

Category: Viruses and Spyware Protection available since:23 Feb 2013 15:19:23 (GMT)
Type: Trojan Last Updated:23 Feb 2013 15:19:23 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-DZU exhibits the following characteristics:

File Information

Size
941K
SHA-1
395a25e396716b39ec07f19dc6d8fd683c6efd8c
MD5
6e645c3db0549c14427c1774973f89dd
CRC-32
fe295e9b
File type
Windows executable
First seen
2013-02-23

Other vendor detection

Avira
TR/Dropper.Gen

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Ywhui\goofg.exe
    Size
    941K
    SHA-1
    c8b701e7e240116bfa426061981d5e037b7fdc3b
    MD5
    094e856e27ef08a48671d3f17c3ffac0
    CRC-32
    728c1bda
    File type
    Windows executable
    First seen
    2013-02-23
  • c:\Documents and Settings\test user\Local Settings\Temp\298451\FILE.PDF.pdf
    Size
    934
    SHA-1
    b2d93d366e67dc2975adf2d4f6dfdb0c3b67808a
    MD5
    2d5fb5d0e065bb36e3215f7112974047
    CRC-32
    a954c255
    File type
    Adobe Portable Document Format (PDF)
    First seen
    2013-02-22
  • c:\Documents and Settings\test user\Application Data\Owyfo\udxax.upi
    Size
    1.1K
    SHA-1
    d1e6da168ec84a8450ea1173eecf3d925fed31ac
    MD5
    8039f82f7a211746ffc7bc67b353dcf8
    CRC-32
    87a8d0cf
    File type
    Unspecified binary - probably data
    First seen
    2013-02-23
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D40916C1-3F43-72E8-704D-F65717077C2D}
    "c:\Documents and Settings\test user\Application Data\Ywhui\goofg.exe"
  • HKCU\Software\Microsoft\Licy
    Bycaawl
    □m□□R□pq□□%□P□□□W□□□□ 6□□□□□P□□□□p□□□□□PZ□0□□□□□□□□□=□□□□□□□ □□P□□□□□□□□□1□`□□□ □□V□□D□P□□□v□□)□ □□@_□ 1□□&□ ]□P?□□"□□□□p2□□□□p□□□□□□□□□>□□s□□□□□□□□p□□□□□q□□□□□□□p□□Pg□□□□`3□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    c8 b4 5e 2e a6 11 ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\ywhui\goofg.exe
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://signetiq.com/js/jcrop/config.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • signetiq.com
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now