W32/Dorkbot-EE exhibits the following characteristics:
File Information
- Size
- 164K
- SHA-1
- 431ba86dbc19606ad7b5729368aff98dad21aed6
- MD5
- 5eff80e9e773336eb22b9c1ba28a4dd5
- CRC-32
- 663fbc84
- File type
- Windows executable
- First seen
- 2013-01-29
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Application Data\Yfmod\seivf.exe
- Size
- 164K
- SHA-1
- ab420e469994231d4b27c64b39498b95097ce7b5
- MD5
- bf8773e391337ebdbf6b54e58ab552ee
- CRC-32
- 1a3048ed
- File type
- Windows executable
- First seen
- 2013-01-29
- c:\Documents and Settings\test user\Application Data\Ciit\uxfu.agy
- Size
- 477
- SHA-1
- 8bfeae71f51928e48db6c7719d0093a37d9c2c46
- MD5
- ca15aadcd00c179e02eeb346e7d2ab2b
- CRC-32
- df5cf886
- File type
- Unspecified binary - probably data
- First seen
- 2013-01-29
- c:\Documents and Settings\test user\Application Data\Ciit\uxfu.tmp
- Size
- 563
- SHA-1
- 8c00e6e123457440115b6839c9918fc518d9ba46
- MD5
- 84c24c94312ab7cfd9c754a8911198e2
- CRC-32
- 37d842b2
- File type
- Unspecified binary - probably data
- First seen
- 2013-01-29
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Software\Microsoft\Naxu
- Ehxu
- □□□@%□□y□Pz□□□□□p□ □□□□□□□□0□□□J□0m□□r□0□□□□□ □□□h□□6□□□□□□□□□□`@□p□□p□□□□□P□□□□□p□□0□□□□□□□□□□□P□□□8□□J□□□□□\□P□□□U□□□□ □□ □□ h□`□□0□□□□□ □□□□□□□□P□□□□□□□□p&□Pz□□□□@□□□]□@|□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {A01CA728-1BE4-DDFE-913F-A1D353901F89}
- "c:\Documents and Settings\test user\Application Data\Yfmod\seivf.exe"
- HKCU\Identities
- Identity Login
- 0x00098053
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- 2a a1 34 61 3f fe cd 01
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000008
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
Processes Created
- c:\Documents and Settings\test user\application data\yfmod\seivf.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://www.carnesviba.com/ja/images/te.bin
- http://www.google.bg/webhp
- http://www.google.com/webhp
IP Connections
DNS Requests
- www.carnesviba.com
- www.google.bg
- www.google.com