Submission Summary:

• Submission details:
• Submission received: 16 July 2012, 16:37:44
• Processing time: 10 min 3 sec
• Submitted sample:
• File MD5: 0xDEA7013F2068EA25CF00E8C87014F096
• File SHA-1: 0xD4114C00EB5D90D7FAEC3E9E4F98734EFD6ED914
• Filesize: 329,376 bytes
• Alias:
• PWS-Zbot.gen.uh [McAfee]
• Mal/Cleaman-B [Sophos]
• Virus.Win32.Zbot [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Yqod\mode.exe	329,376 bytes	MD5: 0x412EC8B02E633DB1A7EDDD9A27763D72 SHA-1: 0xA838C3B3D507F00FF169B4028B005B7825A00771	PWS-Zbot.gen.uh [McAfee] Mal/Cleaman-B [Sophos] Virus.Win32.Zbot [Ikarus]
2	%Temp%\tmp9de6b57c.bat	168 bytes	MD5: 0x8E5937FFCCFBE857D10481AE371ECD18 SHA-1: 0xF577C07973FF4B10E21E475EE8F95412A5AEF01F	(not available)
3	[file and pathname of the sample #1]	329,376 bytes	MD5: 0xDEA7013F2068EA25CF00E8C87014F096 SHA-1: 0xD4114C00EB5D90D7FAEC3E9E4F98734EFD6ED914	PWS-Zbot.gen.uh [McAfee] Mal/Cleaman-B [Sophos] Virus.Win32.Zbot [Ikarus]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

• The following directory was created:
• %AppData%\Yqod

Memory Modifications

• There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
cmd.exe	%System%\cmd.exe	278,528 bytes

• Notes:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

• The following Registry Keys were created:
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
• HKEY_CURRENT_USER\Software\Microsoft\Neju

• The newly created Registry Values are:
• [HKEY_CURRENT_USER\Identities]
• Identity Login = 0x00098053
• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy]
• CleanCookies = 0x00000000
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = ""%AppData%\Yqod\mode.exe""

so that mode.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Neju]
• 1ja7fb64 = 89 7D 0E 68 31 E3 FA 6B 1F AA
• 1ee8j5c2 = "un1saA=="
• ccd4afa = 77 44 6C 68 DB CD CB 6B 2A AA 16 2F
• 328i4887 = EB 7D 6C 68 5B E3 CB 6B 2B 9A 17 2F AF 34 FB 68 5D 4F 90 E6 5E B0 E0 F6 0B 3D C9 43 2D BB 14 04 DA E6 38 0B F0 1F 55 B4 B3 52 6A 6D B2 EE F2 41 64 E0 5A 0E 4E 54 F5 7F 79 D3 68 45 01 F2 82 2A DD 54 45 AC 98 85 19 B8 86 9A 6D 91 60 C9 38 B7 FA A8 C1 2
• 2349eda7 = EB 7D 6C 68 5B 45 CF 3B 3E 0F 6E AC 3E 7D 24 57 07 9E 8D 7A 88 3F DF BA 4E 66 74 01 C2 2A BE 38 68 CA 78 55 6C FE 1C E4 8D 52 6A 6D B2 EE F2 41 64 E0 5A 0E 4E 54 F5 7F 79 D3 68 26 F9 0D 4B AA 0D 8C EA BE 5B 87 CB 2E 24 51 E4 67 E9 03 3B 42 E8 C1 20 7
• 90jf8c8 = EB 7D 6C 68 5B E3 CB 6B 2A AA 16 2F AF 34 FB 7B 24 CC 52 51 40 5C 38 64 8F 45 51 92 F4 F0 81 F7 C5 BA BA FE

• The following Registry Values were modified:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
• 1609 =
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
• 1406 =
• 1609 =
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
• 1609 =
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
• 1406 =
• 1609 =
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
• 1406 =
• 1609 =

Other details

• There were registered attempts to establish connection with the remote hosts. The connection details are:

• The data identified by the following URL was then requested from the remote web server:
• http://www.google.com/

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 13429: