Troj/Zapchast-B

Category: Viruses and SpywareProtection available since:20 May 2011 17:09:57 (GMT)
Type: TrojanLast Updated:20 May 2011 17:09:57 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zapchast-B exhibits the following characteristics:

File Information

Size
1.4M
SHA-1
d12c3b6bec943108f93b2232f3aeb12238c5e90a
MD5
fd956cfcfa18e10d707214d1c4d565f4
CRC-32
1cf18efe
File type
application/x-ms-dos-executable
First seen
2011-05-20

Runtime Analysis

Dropped Files
  • C:\WINDOWS\Temp\Cookies\main
    Size
    6
    SHA-1
    311ebb1cf84a283ee32035a6169edec0f4e75ae5
    MD5
    cb1d0aecb060543e3aeadd1cec597665
    CRC-32
    0a2f0cf8
    File type
    application/octet-stream
    First seen
    2011-05-20
  • c:\Documents and Settings\test user\Recent\image.jpg.lnk
    Size
    687
    SHA-1
    a32dad20b9f23776a9012f9d42c75a16cb6a318d
    MD5
    9bd8bee30f29a63ad06e9f64c97f2dc9
    CRC-32
    5842653d
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\mirc.ini
    Size
    3.7K
    SHA-1
    3d67c73e6b8b4d9c48832a3d9213a80db7cd2a9c
    MD5
    858bef4843c936b5bdfa2ed49233cef0
    CRC-32
    4439fc1a
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\servers.ini
    Size
    257
    SHA-1
    9368f808f881e31ae6dadf1bdb7e39b0b36867c2
    MD5
    ae8f888be884c3a1ca5cf72aaa82fa20
    CRC-32
    6b2471b0
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\remote.ini
    Size
    16K
    SHA-1
    e261f8c77aa167b9b9c837d53b10681c3de7272a
    MD5
    150b6cb179371d5afbcaa93c45b05b97
    CRC-32
    ce40b77a
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\control.ini
  • C:\WINDOWS\Temp\Cookies\fullname.txt
    Size
    16K
    SHA-1
    14485c97ec9a41a2d314ce9a145bba5872e69313
    MD5
    f0343a1cdf1af10f73d16fff07660405
    CRC-32
    ff8aa34c
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\catchme.bat
    Size
    205
    SHA-1
    8c2535fe1b932ea7a332140980e7f7e59c8c3409
    MD5
    635a18762fbcb5d3feae90cf24e97603
    CRC-32
    ad2bb80d
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\grup
    Size
    338
    SHA-1
    14b6c4a571006026b8230d41104e240cd844ea59
    MD5
    d4cbce4da767dc3c45efde33cc2e13c1
    CRC-32
    01dc8279
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\temporarly.reg
    Size
    1.3K
    SHA-1
    197689f5d0084a2ee7beccd3b13e2abafa572386
    MD5
    b72b3d575a1788bcf956a7059bf0b6fa
    CRC-32
    475f79c0
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\unlock.exe
    Size
    73K
    SHA-1
    81e686fb3f85a438ee1495a684c38482c0bb3a03
    MD5
    8a8246ad27c39750953b50fa21a56ff4
    CRC-32
    7f5767d3
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\crime.mrc
    Size
    22K
    SHA-1
    d86f2f417643d3ee6477a2344824989c28ec06b7
    MD5
    02e58466acb84254cd3661f187b1a049
    CRC-32
    f4478468
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\daemon.exe
  • C:\WINDOWS\Temp\Cookies\image.jpg
    Size
    216K
    SHA-1
    8b48ce52e5c152cd52dd1054586d0cb1a49ac6d0
    MD5
    0d63728e285a099c3e509b9101b13c62
    CRC-32
    6ecd7a3b
    File type
    image/jpeg
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\smain.exe
    Size
    72K
    SHA-1
    08b3bd3887280e7814542a3001302aff3dbcf71b
    MD5
    d8029ddc11c6b6c67961160b011b3ada
    CRC-32
    d1a41c17
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
  • c:\Documents and Settings\test user\Recent\Cookies.lnk
  • C:\WINDOWS\Temp\Cookies\ok.mrc
  • C:\WINDOWS\Temp\Cookies\aliases.ini
  • C:\WINDOWS\Temp\Cookies\away.txt
    Size
    3.2K
    SHA-1
    1cd0ad2a852e1a5f6e79bb1886dec872e98fc5b4
    MD5
    c7b1b7138b0241fe62f446f4e99814a6
    CRC-32
    a5d20606
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\hmain.exe
    Size
    72K
    SHA-1
    5fade8253cc05c6e23b14210ad6c78353f2e7db8
    MD5
    47e447920e139d6b5f573b92feaaf56f
    CRC-32
    cdaa7ddb
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\point.ico
  • C:\WINDOWS\Temp\Cookies\users.ini
    Size
    28
    SHA-1
    45482a428b6e79125f3104f7f2c42ee25f248eb8
    MD5
    7a258b072afa73b29b83c6a550e58f63
    CRC-32
    43650a0d
    File type
    application/octet-stream
    First seen
    2011-05-20
  • C:\WINDOWS\Temp\Cookies\lock.exe
    Size
    73K
    SHA-1
    e108247db5101c2192d793eae515197728ad402a
    MD5
    419f7e1cc89a1009f33a40a95714ceed
    CRC-32
    ead46a77
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    daemon
    "C:\Windows\temp\cookies\daemon.exe"
  • HKCR\irc\Shell\open\ddeexec\Application
    (Default)
    daemon
  • HKCR\ChatFile\Shell\open\ddeexec
    (Default)
    %1
  • HKCU\Software\Microsoft\Microsoft Agent
    PropertySheetHeight
    0x00000000
  • HKCU\Software\mIRC\UserName
    (Default)
    MIRC32
  • HKCU\Software\mIRC\LockOptions
    (Default)
    0,4096
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011052020110521
    CacheOptions
    0x0000000b
  • HKCU\Software\mIRC\License
    (Default)
    1893-124286
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
    UninstallString
    "C:\WINDOWS\temp\Cookies\daemon.exe" -uninstall
  • HKCR\irc\Shell\open\ddeexec\ifexec
    (Default)
    %1
  • HKCR\ChatFile\Shell\open\ddeexec\ifexec
    (Default)
    %1
  • HKCR\ChatFile\Shell\open\ddeexec\Topic
    (Default)
    Connect
  • HKCR\irc\DefaultIcon
    (Default)
    "C:\WINDOWS\temp\Cookies\daemon.exe"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    0
    43 00 6f 00 6f 00 6b 00 69 00 65 00 73 00 00 00 48 00 32 00 00 00 00 00 00 00 00 00 00 00 43 6f 6f 6b 69 65 73 2e 6c 6e 6b 00 2e 00 03 00 04 00 ef be 00 00 00 00 00 00 00 00 14 00 00 00 43 00 6f 00 6f 00 6b 00 69 00 65 00 73 00 2e 00 6c 00 6e 00 6b 00 00 00 1a 00 00 00
  • HKCR\.chat
    (Default)
    ChatFile
  • HKCR\ChatFile
    (Default)
    Chat File
  • HKCR\irc
    EditFlags
    02 00 00 00
  • HKCR\irc\Shell\open\ddeexec
    (Default)
    %1
Processes Created
  • c:\windows\msagent\agentsvr.exe
  • c:\windows\regedit.exe
  • c:\windows\system32\attrib.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\rundll32.exe
  • c:\windows\temp\cookies\daemon.exe
IP Connections
  • 94.125.182.255:6667
DNS Requests
  • blind.com
  • irc.darkbit.info