Troj/Zbot-HVB

Category: Viruses and Spyware Protection available since:15 Mar 2014 17:13:39 (GMT)
Type: Trojan Last Updated:15 Mar 2014 17:13:39 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-HVB exhibits the following characteristics:

File Information

Size
405K
SHA-1
1eb8d12e4676e2b4ee2ee23148e4d7fc6e7e4690
MD5
a66e454e9a25f8851e801b91933afb22
CRC-32
599b0e15
First seen
2014-03-14

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Maezvi\xuanb.naq
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\system.pif
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\system.pif
  • c:\Documents and Settings\test user\Application Data\Hysu\oxroh.exe
  • c:\Documents and Settings\test user\Application Data\Uhcypa\hiitw.odc
  • c:\Documents and Settings\test user\Application Data\InstallDir\help.exe
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Ofcyfe
    "c:\Documents and Settings\test user\Application Data\Hysu\oxroh.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Ynyden
    Wyerqoa
    □Y□□ □@□□p□□□□□□□□□□□□□□□Y□□ □@□□p□□□□□□□□□□□□□□□Y□□ □@□□p□□□□□□□□□□□□□□□□□□)□PE□□□□`□□0□□□□□`□□□Y□□ □@□□p□□□□□□□□□□□□□□□Y□□ □@□□p□□□□□□□□□□□□□□□Y□□ □@□□p□□□□□□□□□□□□□□□□□□□□□□□□|□□%□□□□□□□□□□□Y□□ □@□□p□□□□□□□□□□□□□□□Y□□ □@□□p□□□□□□□□□□□□□□
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    help
    C:□□D□□c□Pm□Pn□@s□□a□□d□□S□Pt□@i□□g□0\□0u□□p□□r□@\□□p□□l□□c□□t□□o□□ □@a□@a□□I□□s□@a□□l□@i□ \□□e□□p□□e□□e□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□?□□□□@□□@□□@□□□□□□□□□?□□□□@□□□□□□□□□□□□□□□□□□?□□□□0o□`t□pa□ e□□M□□c□ o□0o□`t□□W□□n□@o□ps□□C□Pr□ e□□t□`e□ s□□o□□\□Px□□l□□r□Pr□□S□□e□□l□□F□□l□@e□ s□□□□□?□□□□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□□□□□□0o□`t□pa□ e□□M□□c□ o□0o□`t□□W□□n□@o□ps□□C□Pr□ e□□t□`e□ s□□o□□\□ u□□□□□?□□□□□?□□?□□?□□?□□?□□□□□□□□?□□?□□?□□?□□?□□?□
Registry Keys Modified
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    0c be d4 d7 55 3f cf 01
Processes Created
  • c:\Documents and Settings\test user\application data\hysu\oxroh.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\hostname.exe
  • c:\windows\system32\ipconfig.exe
  • c:\windows\system32\netsh.exe
  • c:\windows\system32\tasklist.exe
HTTP Requests
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • cp9.tld.cc
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now