Trojan-PSW.Win32.Zbot.4_63ff58a510

by malwarelabrobot on October 26th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan-Spy.Zbot!IK (Emsisoft), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Spy, Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 63ff58a510b547ec7c10fa3e18a2008d
SHA1: 51eb03fbb59a69021e69d50e3031605889fb4e64
SHA256: 508daa8c2839c87e893426d59ee2b5a88c8f5892200810af7e8ec947af8f1a1a
SSDeep: 6144:l1mqHMQfc/ZtwiEQX6 CAX9e IrVVMkvj JldxdljVoiOb:VH7YZjED CfZVVdCHdlj
Size: 317952 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Conduit
Created at: 2010-07-13 15:43:11


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

poeja.exe:2972
63ff58a510b547ec7c10fa3e18a2008d.exe:2672

The Trojan-PSW injects its code into the following process(es):

ctfmon.exe:252

File activity

The process poeja.exe:2972 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)

The process 63ff58a510b547ec7c10fa3e18a2008d.exe:2672 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BOY3246.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Obofo\poeja.exe (1742 bytes)

The process ctfmon.exe:252 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (3120 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (2428 bytes)

Registry activity

The process poeja.exe:2972 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 D1 41 CC 91 26 1D 85 20 67 BC 85 8D CE EA 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Nujyresuuj]
"32feegf1" = "FC A4 75 9A B6 6B E3 02 A8 C8 B4 41"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process 63ff58a510b547ec7c10fa3e18a2008d.exe:2672 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process ctfmon.exe:252 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 83 38 2A E1 F8 DF E4 C6 AD AA 44 7D 82 39 F2"

[HKCU\Identities]
"Last User ID" = "{6855BFC2-9E4A-4896-A11D-74388FBABDC2}"

[HKCU\Identities]
"Last Username" = "Main Identity"

[HKCU\Software\Microsoft\Nujyresuuj]
"367b93gj" = "z6QBmg=="

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkFolderRefresh" = "0"

[HKCU\Software\Microsoft\WAB\WAB4]
"FirstRun" = "1"

[HKCU\Identities]
"Identity Login" = "622675"

[HKCU\Software\Microsoft\Internet Account Manager]
"Server ID" = "4"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkContactRefresh" = "0"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Identities]
"Changing"

[HKCU\Identities]
"OutgoingID"

[HKCU\Identities]
"IncomingID"

The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

No activity has been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    poeja.exe:2972
    63ff58a510b547ec7c10fa3e18a2008d.exe:2672

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BOY3246.bat (173 bytes)
    %Documents and Settings%\%current user%\Application Data\Obofo\poeja.exe (1742 bytes)

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.