Troj/Zbot-EMQ

Category: Viruses and Spyware Protection available since:06 Apr 2013 03:08:54 (GMT)
Type: Trojan Last Updated:06 Apr 2013 03:08:54 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-EMQ exhibits the following characteristics:

File Information

Size
281K
SHA-1
6cb1145e1a0b87435a881d39a0463826fa91462a
MD5
1cfc7c73b16845f3a063e07551095d1f
CRC-32
1f559957
File type
application/x-ms-dos-executable
First seen
2013-04-05

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Abovo\wagey.aro
    Size
    477
    SHA-1
    81cbf5e899bdbd3539fa7c92273e198d67fc96e0
    MD5
    64e6b32df7050d92e56fb60b50636799
    CRC-32
    bd45432c
    File type
    application/octet-stream
    First seen
    2013-04-05
  • c:\Documents and Settings\test user\Application Data\Abovo\wagey.tmp
    Size
    563
    SHA-1
    a0777651e3dd71dbcaf62d234eb900ea52b1dbf5
    MD5
    a8b76432de2d557ed880d12c50abbad5
    CRC-32
    498872e2
    File type
    application/octet-stream
    First seen
    2013-04-05
  • c:\Documents and Settings\test user\Application Data\Dusar\yvtys.exe
    Size
    281K
    SHA-1
    2b8bee5298d8d7a844886a7876d26044e0c5adab
    MD5
    8287f672ec4c257275be604061c058ac
    CRC-32
    3dd3ea50
    File type
    application/x-ms-dos-executable
    First seen
    2013-04-05
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {6963B866-C696-D64B-728A-4E976E2393F0}
    "c:\Documents and Settings\test user\Application Data\Dusar\yvtys.exe"
  • HKCU\Software\Microsoft\Wanye
    Zigofog
    □&□p□□□□□□□□ □□PL□`□□Pn□p□□□P□□□□`□□0)□0A□□%□`□□□s□□□□□□□□□□@~□□□□□□□ □□□-□□□□□e□@M□□□□ □□□□□□□□P□□□.□□z□□□□`Z□pn□□W□@□□p□□@c□□□□ u□0□□P□□□□□□□□□}□□□□□<□□□□□A□p□□□e□0U□pn□□□□
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    74 4e e3 5e 53 32 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\dusar\yvtys.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://www.vitalsport.cl/logs/cfg.bin
DNS Requests
  • www.vitalsport.cl

download Try Sophos products for free
Download now