Trojan-PSW.Win32.Zbot.4_83d0f37a08

by malwarelabrobot on October 20th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan-Spy.Win32.Zbot!IK (Emsisoft), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Spy, Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 83d0f37a08d1916c935db7305db9d478
SHA1: aabcc17ee9b9a1defa03f52c7006f26007fbf849
SHA256: 3df867e86d87b9e5a965b607ef65cbfbffa25062a528baf7ff7cb605a51f93ec
SSDeep: 6144:JmjIdcbBWhVnu5Maux4evNLBVHwJ8nxNf0 qKDS8V1lwVeZ:wcdcbBwVu/YVbbnxhpqKDxLwVeZ
Size: 308736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2006-04-18 12:18:53


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

83d0f37a08d1916c935db7305db9d478.exe:1616
giviy.exe:1220

File activity

The process 83d0f37a08d1916c935db7305db9d478.exe:1616 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Leygxu\giviy.exe (1733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PDLF7F0.bat (173 bytes)

The process giviy.exe:1220 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7160 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5180 bytes)

Registry activity

The process 83d0f37a08d1916c935db7305db9d478.exe:1616 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 99 4F C8 C2 DB C1 AE 57 42 04 AE 59 94 3D E8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process giviy.exe:1220 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 51 09 04 DA 68 97 FF 90 17 70 5E F6 A8 64 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Uqifovman]
"30fdb188" = "CB 61 0C 77 19 5F 51 20 E0 7B 9B D9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Network activity (URLs)

URL IP
hxxp://www.google.com/ 173.194.43.82
hxxp://www.google.ca/?gws_rd=cr&ei=snNiUpfqBY7OyAHryoGQDQ 173.194.43.88


Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    83d0f37a08d1916c935db7305db9d478.exe:1616
    giviy.exe:1220

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Application Data\Leygxu\giviy.exe (1733 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PDLF7F0.bat (173 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (7160 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.