Troj/Zbot-HYQ

Category: Viruses and Spyware Protection available since:22 Mar 2014 02:31:18 (GMT)
Type: Trojan Last Updated:22 Mar 2014 02:31:18 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zbot-HYQ exhibits the following characteristics:

File Information

File type
Windows executable

Other vendor detection

Avira
TR/Agent.BCEZ.1

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Ipgi\rivoo.tmp
  • c:\Documents and Settings\test user\Local Settings\Temp\tmpb58378f5.bat
  • c:\Documents and Settings\test user\Application Data\Ipgi\rivoo.enc
  • c:\Documents and Settings\test user\Application Data\Ucegd\uqfa.exe
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Soiss
    Nymoak
    □□□Pn□@□□P□□□□□□□□p□□0Q□□□□□c□□□□pm□□H□□A□p□□ 9□□,□□□□□:□□□□□□□□□□□□□P□□□6□□□□□□□□N□□d□□@□@□□□□□□□□0□□□S□□P□□7□ □□□□□□L□□□□□g□□s□P□□@□□□□□ M□□□□□%□P□□ :□p5□`□□`□□□□□P`□□)□P□□
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {9C75927C-1769-2663-390F-C5E7D134C6CF}
    "c:\Documents and Settings\test user\Application Data\Ucegd\uqfa.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    8e 8d 67 aa 48 45 cf 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\ucegd\uqfa.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
HTTP Requests
  • http://hlbsiccuspetroleum.net/wp-includes/css/foxphp/config.bin
DNS Requests
  • hlbsiccuspetroleum.net

download Try Sophos products for free
Download now