Example behaviours of Troj/Zbot-YI follow:
Example 1
File Information
- Size
- 95K
- SHA-1
- 603dc454828220293b85186a5a0f07fc46c0d272
- MD5
- 231f03ca5381bd4c75e5d51fe2e974f6
- CRC-32
- e8891822
- File type
- application/x-ms-dos-executable
- First seen
- 2010-09-02
Runtime Analysis
Dropped Files
- C:\Documents and Settings\support\Application Data\Kayx\ohma.exe
- Size
- 95K
- SHA-1
- cba5f3eede194e4d7fd3ece96cc1a7fb4e07d39a
- MD5
- 055cbcb8556e6d709168c4de91134210
- CRC-32
- 5238a9dd
- File type
- application/x-ms-dos-executable
- First seen
- 2010-09-02
Registry Keys Created
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {576DB727-830B-7985-4D16-5D1AFA1AEFFE}
- "C:\Documents and Settings\support\Application Data\Kayx\ohma.exe"
- HKCU\Software\Microsoft\Otdu
- Iqesxo
- <Binary Data>
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
Processes Created
- c:\documents and settings\support\application data\kayx\ohma.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://rrrekti.ru/manager/mssql/sql.pfx
- http://www.google.com/webhp
DNS Requests
- rrrekti.ru
- www.google.com
Example 2
File Information
- Size
- 95K
- SHA-1
- c5b2d0a3669a54389cd66448f57f6226c3c8b0db
- MD5
- beca9e901084332d8bb5aab8a8b07b15
- CRC-32
- 8c5131ee
- File type
- application/x-ms-dos-executable
- First seen
- 2010-09-02