HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Zbot.f (v) (VIPRE), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c9d5fdff351d0bdc92a000fbe18a390f
SHA1: 13cc016288abfae90ea66e6b016fe5b7f0654265
SHA256: fa1d28d9c35fa56a5f88ac29df2bc9cc9540bd83e591f2527bba79603105c07e
SSDeep: 6144:sgTUzbk9HmIEul75Kfh7nJxZUcSkeFzFzeG3d22vQlXI:LWk8TuN5KfZnJxZU3J24
Size: 315904 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-23 14:02:57
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
amum.exe:1244
amum.exe:456
net1.exe:620
net1.exe:240
net.exe:168
net.exe:1836
iexplore.exe:1872
iexplore.exe:1820
%original file name%.exe:1032
%original file name%.exe:1292
File activity
The process amum.exe:1244 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\system.pif (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\system.pif (1425 bytes)
%Documents and Settings%\%current user%\Application Datafirefox.exe (1425 bytes)
The process %original file name%.exe:1032 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\system.pif (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\system.pif (1425 bytes)
%Documents and Settings%\%current user%\Application Datafirefox.exe (1425 bytes)
The process %original file name%.exe:1292 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3ea924cc.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Ifohev\amum.exe (315 bytes)
Registry activity
The process amum.exe:1244 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 53 32 25 8F D6 13 EB 4A 16 F9 14 71 94 D1 B5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"help" = "%Documents and Settings%\%current user%\Application Datafirefox.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"help" = "%Documents and Settings%\%current user%\Application Datafirefox.exe"
The process amum.exe:456 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 7F 85 E2 51 58 9B 0C 23 AC 21 8B 1D 7D 5C DF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process net1.exe:620 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 2E 21 3D 34 A5 9F 7B 13 1C 60 93 8A AB B1 91"
The process net1.exe:240 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 C6 BA CD FD B0 C0 8A 27 86 AF 04 49 41 1F 17"
The process net.exe:168 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 7A 9C AC 02 0C B4 8C FF 29 62 EE 7D 5C 03 61"
The process net.exe:1836 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 2F B5 B3 9D CB 5C 12 DD DA 00 5D 83 21 BD 2E"
The process iexplore.exe:1872 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 04 E6 86 F9 7E 41 84 0A 9D 0F A6 E3 F0 DD 80"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process iexplore.exe:1820 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 93 57 31 68 2D C5 87 96 09 4D 85 13 66 EA AA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process %original file name%.exe:1032 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 93 FF 25 C6 C5 67 C0 A9 FB F4 25 9A CC 87 69"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"help" = "%Documents and Settings%\%current user%\Application Datafirefox.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"help" = "%Documents and Settings%\%current user%\Application Datafirefox.exe"
The process %original file name%.exe:1292 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 22 FD 7B F7 19 BF A2 7A 1E 34 19 1E 63 7A A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://176.31.95.143/bo3/config.bin | |
| hxxp://176.31.95.143/ |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSASend
send
closesocket
The Trojan-PSW installs the following user-mode hooks in kernel32.dll:
GetFileAttributesExW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
amum.exe:1244
amum.exe:456
net1.exe:620
net1.exe:240
net.exe:168
net.exe:1836
iexplore.exe:1872
iexplore.exe:1820
%original file name%.exe:1032
%original file name%.exe:1292 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\system.pif (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\system.pif (1425 bytes)
%Documents and Settings%\%current user%\Application Datafirefox.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3ea924cc.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Ifohev\amum.exe (315 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"help" = "%Documents and Settings%\%current user%\Application Datafirefox.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"help" = "%Documents and Settings%\%current user%\Application Datafirefox.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.