Trojan-PSW.Win32.Zbot_6749a94f02

by malwarelabrobot on October 4th, 2013 in Malware Descriptions.

Trojan-Dropper.Win32.Injector.jnks (Kaspersky), Trojan.PWS.Multi.1145 (DrWeb), Trojan.Win32.Zbot (A) (Emsisoft), RDN/Generic PWS.y!uy (McAfee), WS.Reputation.1 (Symantec), Trojan-PSW.Win32.Zbot.6.FD, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-PSW, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 6749a94f02d54613eecdab189a81d189
SHA1: d969e4ad8adb063d3cb698c66c4a087bab1c6a95
SHA256: d6a3cf0a6dba0d69b1f7a210e4b26ade513401c4ec09e871439b38e6d93d0a74
SSDeep: 6144:7e34JTf3DU9OomlHLaYqhc /eoSVq9x/ePnQ0jTx0rEShuvGisXJf:0uVqh/ei/inQ0jTS7oe9
Size: 282582 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

6749a94f02d54613eecdab189a81d189.exe:1316
6749a94f02d54613eecdab189a81d189.exe:168
6749a94f02d54613eecdab189a81d189.exe:1716
odpe.exe:1736
odpe.exe:1520
odpe.exe:1484

File activity

The process 6749a94f02d54613eecdab189a81d189.exe:1316 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp6295c9c8.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Gezah\odpe.exe (282 bytes)

The process 6749a94f02d54613eecdab189a81d189.exe:168 makes changes in a file system.
The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Qukohucefo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Juyolifuyu.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jifamira.ene (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Finixogimu.dll (0 bytes)

The process 6749a94f02d54613eecdab189a81d189.exe:1716 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Qukohucefo.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Juyolifuyu.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Finixogimu.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jifamira.ene (6676 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)

The process odpe.exe:1520 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Qukohucefo.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Juyolifuyu.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Finixogimu.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jifamira.ene (6676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\System.dll (11 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\System.dll (0 bytes)

The process odpe.exe:1484 makes changes in a file system.
The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Qukohucefo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Juyolifuyu.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jifamira.ene (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Finixogimu.dll (0 bytes)

Registry activity

The process 6749a94f02d54613eecdab189a81d189.exe:1316 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 43 06 64 6D E3 63 DA 0F 89 58 4B C7 3D 4A 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process 6749a94f02d54613eecdab189a81d189.exe:1716 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 84 1F 07 56 50 F7 69 0B 9D F6 B1 31 F2 FE 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process odpe.exe:1736 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 09 EC D2 E5 F7 F8 17 29 F8 C5 56 88 4A 35 BE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process odpe.exe:1520 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 F1 39 B4 98 CE 56 E4 AD 70 A2 7E F3 29 43 E7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Network activity (URLs)

URL IP
hxxp://93.78.121.116/not/him/file.php (Malicious)


Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WINMM.dll:

PlaySoundW

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetSetFilePointer
InternetQueryDataAvailable
HttpOpenRequestW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
HttpOpenRequestA

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan-PSW installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSASend
gethostbyname
send
closesocket
getaddrinfo

The Trojan-PSW installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    6749a94f02d54613eecdab189a81d189.exe:1316
    6749a94f02d54613eecdab189a81d189.exe:168
    6749a94f02d54613eecdab189a81d189.exe:1716
    odpe.exe:1736
    odpe.exe:1520
    odpe.exe:1484

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temp\tmp6295c9c8.bat (177 bytes)
    %Documents and Settings%\%current user%\Application Data\Gezah\odpe.exe (282 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Qukohucefo.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Juyolifuyu.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Finixogimu.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Jifamira.ene (6676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\System.dll (11 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.