Trojan-PSW.Win32.Zbot_3bdba594e7

by malwarelabrobot on November 16th, 2013 in Malware Descriptions.

Trojan.Generic.KDZ.12694 (BitDefender), PWS:Win32/Zbot.gen!Y (Microsoft), Trojan-Dropper.Win32.Injector.iwlq (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), BackDoor.Blackshades.17 (DrWeb), Trojan.Generic.KDZ.12694 (B) (Emsisoft), PWS-Zbot-FBDH!3BDBA594E780 (McAfee), Trojan.Zbot (Symantec), Win32.SuspectCrc (Ikarus), Trojan.Generic.KDZ.12694 (FSecure), SHeur4.BEYO (AVG), Win32:Crypt-PED [Trj] (Avast), TROJ_GEN.R047C0CK813 (TrendMicro), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-PSW, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 3bdba594e78078c84a251068221c13b3
SHA1: 3bb2459a78fdfdb92c9010b4fee883a2aa158131
SHA256: 25c589b961f293e7c611d4b680c584a68e47dc7116404fa3273dcdf00e5a39b1
SSDeep: 6144:UqLzGyzpKalLBQmBypPt ZelNA8cXZb IRKry:nphltQTPtGVX3RKry
Size: 243990 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: WinterSoft
Created at: 2013-03-29 22:31:46


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

net.exe:188
net.exe:1496
duiso.exe:560
duiso.exe:556
net1.exe:1804
net1.exe:440
wuauclt.exe:344
%original file name%.exe:1768
%original file name%.exe:1776
iexplore.exe:1824
iexplore.exe:1612
jusched.exe:1056

The Trojan-PSW injects its code into the following process(es):

Reader_sl.exe:1064

File activity

The process wuauclt.exe:344 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan-PSW deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process %original file name%.exe:1776 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Gyaza\duiso.exe (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpc22d9fac.bat (177 bytes)

The process jusched.exe:1056 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

Registry activity

The process net.exe:188 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 8C 3A 3B 88 4A 95 36 EE 8C F0 02 73 78 EA DC"

The process net.exe:1496 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 E2 B1 1F 09 40 EA D4 BC C4 D4 A6 E6 F2 63 60"

The process duiso.exe:560 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 2C 83 6E 59 E2 6D 18 81 CE 5B 60 CD 24 DA 46"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process duiso.exe:556 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data"

The process net1.exe:1804 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C BC F1 AD D0 85 28 B4 36 50 40 A8 EE 45 43 0A"

The process net1.exe:440 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF BE 46 FF A3 34 38 97 F5 31 DC 25 EC A3 F8 57"

The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Yzul]
"Runefat" = "A2 07 7B 19 B2 7F 4C BD 79 99 41 CE 94 59 5A 42"

The process %original file name%.exe:1768 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:1776 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 9F 17 8B 67 B0 BC 81 A4 8E 11 4B 70 AD 9A B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process iexplore.exe:1824 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 DA 8F 5B F8 BB 10 FB 6C F4 84 F1 CE 89 E1 4E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process iexplore.exe:1612 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 1A 62 EF 8B 49 82 39 3B D4 17 10 9B 3C 8E DF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Network activity (URLs)

URL IP
hxxp://obutto.eu/shop/admin/index/upload/config.bin (Malicious) 213.5.176.231
hxxp://www.google.com/webhp 173.194.43.84
hxxp://www.google.ca/webhp?gws_rd=cr&ei=gyiGUrWTCYnlyAGBm4HoDg 173.194.43.95


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Trojan-PSW installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    net.exe:188
    net.exe:1496
    duiso.exe:560
    duiso.exe:556
    net1.exe:1804
    net1.exe:440
    wuauclt.exe:344
    %original file name%.exe:1768
    %original file name%.exe:1776
    iexplore.exe:1824
    iexplore.exe:1612

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Application Data\Gyaza\duiso.exe (243 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpc22d9fac.bat (177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "%Documents and Settings%\%current user%\Application Data"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "%Documents and Settings%\%current user%\Application Data"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.