The latest on the 'Petya' ransomware variant outbreak.    Learn more

Troj/Zbot-BXV

Category: Viruses and Spyware Protection available since:26 May 2012 02:33:37 (GMT)
Type: Trojan Last Updated:26 May 2012 02:33:37 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-BXV include:

Example 1

File Information

Size
196K
SHA-1
3b085bfd11254747907ce25bcfb6d58dc4a19290
MD5
8ceb3cdf5ed38d1fcbf3d58563af6c5c
CRC-32
3997edc5
File type
Windows executable
First seen
2012-04-03

Other vendor detection

Avira
TR/Crypt.XPACK.Gen
Kaspersky
Trojan-Downloader.Win32.Injecter.kpa

Runtime Analysis

Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    Name
    giuz.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    {62CA0015-299B-88DE-35DD-7D4CA0DADBD7}
    "c:\Documents and Settings\test user\Application Data\Idihnag\giuz.exe"
  • HKCU\Software\Microsoft\Niaf
    Dugyxog
    □□□□□□□d□□□□□□□p!□@□□□C□□□□□□□□□□□P□□(□□?□□□□□□□@W□□□□@{□□□□□□□P□□`□□□□0@□@□□□□□□□□□□□p>□□□□□□□□□□□M□`□□□□□□Q□p□□□M□0□□□?□0 □□□□□r□P□□□□□0□□p□□□□□□□□□~□□□□0□□□E□□)□@□□ □□□□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    ID
    0x452dec33
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    ae 80 e4 0a 47 3a cd 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000006
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\idihnag\giuz.exe
HTTP Requests
  • http://pantera-hd.ru/images/load.php
  • http://www.google.ru/intl/ru/options
  • http://www.google.ru/intl/ru/options/
DNS Requests
  • pantera-hd.ru
  • scaranio.com
  • www.google.ru

Example 2

File Information

Size
196K
SHA-1
452c3e5f292651c5d5245b57bf2f91560d4da746
MD5
53caeea6441504f8f3a462a6c6f58575
CRC-32
275d9d23
File type
Windows executable
First seen
2012-05-04

Other vendor detection

Avira
TR/Crypt.XPACK.Gen
Kaspersky
Trojan-Downloader.Win32.Injecter.kpa

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    Name
    test_item.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    ID
    0x452dec33

Example 3

File Information

Size
196K
SHA-1
7b99f120e47c9371d806eee78d9497fb508f1f86
MD5
2753a3b543b59eedaee25dbaec9fbe8a
CRC-32
cce04175
File type
Windows executable
First seen
2012-04-06

Other vendor detection

Avira
TR/Crypt.XPACK.Gen
Kaspersky
Trojan-Downloader.Win32.Injecter.kpa

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    Name
    test_item.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    ID
    0x452dec33

download Try Sophos products for free
Download now