Trojan.Generic.KDZ.12694 (BitDefender), PWS:Win32/Zbot.gen!Y (Microsoft), Trojan-Dropper.Win32.Injector.iwlq (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), BackDoor.Blackshades.17 (DrWeb), Trojan.Generic.KDZ.12694 (B) (Emsisoft), PWS-Zbot-FBDH!3BDBA594E780 (McAfee), Trojan.Zbot (Symantec), Win32.SuspectCrc (Ikarus), Trojan.Generic.KDZ.12694 (FSecure), SHeur4.BEYO (AVG), Win32:Crypt-PED [Trj] (Avast), TROJ_GEN.R047C0CK813 (TrendMicro), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan-PSW, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3bdba594e78078c84a251068221c13b3
SHA1: 3bb2459a78fdfdb92c9010b4fee883a2aa158131
SHA256: 25c589b961f293e7c611d4b680c584a68e47dc7116404fa3273dcdf00e5a39b1
SSDeep: 6144:UqLzGyzpKalLBQmBypPt ZelNA8cXZb IRKry:nphltQTPtGVX3RKry
Size: 243990 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: WinterSoft
Created at: 2013-03-29 22:31:46
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
net.exe:188
net.exe:1496
duiso.exe:560
duiso.exe:556
net1.exe:1804
net1.exe:440
wuauclt.exe:344
%original file name%.exe:1768
%original file name%.exe:1776
iexplore.exe:1824
iexplore.exe:1612
jusched.exe:1056
The Trojan-PSW injects its code into the following process(es):
Reader_sl.exe:1064
File activity
The process wuauclt.exe:344 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan-PSW deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:1776 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Gyaza\duiso.exe (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpc22d9fac.bat (177 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process net.exe:188 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 8C 3A 3B 88 4A 95 36 EE 8C F0 02 73 78 EA DC"
The process net.exe:1496 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 E2 B1 1F 09 40 EA D4 BC C4 D4 A6 E6 F2 63 60"
The process duiso.exe:560 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 2C 83 6E 59 E2 6D 18 81 CE 5B 60 CD 24 DA 46"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process duiso.exe:556 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data"
The process net1.exe:1804 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C BC F1 AD D0 85 28 B4 36 50 40 A8 EE 45 43 0A"
The process net1.exe:440 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF BE 46 FF A3 34 38 97 F5 31 DC 25 EC A3 F8 57"
The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Yzul]
"Runefat" = "A2 07 7B 19 B2 7F 4C BD 79 99 41 CE 94 59 5A 42"
The process %original file name%.exe:1768 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data"
The process %original file name%.exe:1776 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 9F 17 8B 67 B0 BC 81 A4 8E 11 4B 70 AD 9A B9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process iexplore.exe:1824 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 DA 8F 5B F8 BB 10 FB 6C F4 84 F1 CE 89 E1 4E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process iexplore.exe:1612 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 1A 62 EF 8B 49 82 39 3B D4 17 10 9B 3C 8E DF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://obutto.eu/shop/admin/index/upload/config.bin (Malicious) | 213.5.176.231 |
| hxxp://www.google.com/webhp | 173.194.43.84 |
| hxxp://www.google.ca/webhp?gws_rd=cr&ei=gyiGUrWTCYnlyAGBm4HoDg | 173.194.43.95 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSASend
send
closesocket
The Trojan-PSW installs the following user-mode hooks in kernel32.dll:
GetFileAttributesExW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
net.exe:188
net.exe:1496
duiso.exe:560
duiso.exe:556
net1.exe:1804
net1.exe:440
wuauclt.exe:344
%original file name%.exe:1768
%original file name%.exe:1776
iexplore.exe:1824
iexplore.exe:1612 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Application Data\Gyaza\duiso.exe (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpc22d9fac.bat (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.