Trojan-PSW.Win32.Zbot.4_05b8f9d078

by malwarelabrobot on October 5th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Win32.Malware!Drop (VIPRE), Trojan-PSW.Win32.Zbot.4.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 05b8f9d078f1d6277dd33855b391986b
SHA1: ba4ed4aebad81d552813bbf2203d73cfb892bb18
SHA256: c6ad231b62eab9b4dfb882893e04d0b0b483d446063b15cec391c3a7a768d3b3
SSDeep: 6144:GVcF/qvKT1x5MlJYQuEs HWvrhOFTX4LgsijnhWnRRvzRzi7LETH:kcFyST1QzNi9OdKijh05SQ
Size: 313856 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2007-04-18 14:23:51


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

705750.exe:1344
704609.exe:700
dotnetfx.exe:1548
707343.exe:1256
05b8f9d078f1d6277dd33855b391986b.exe:1996
yxme.exe:908

The Trojan-PSW injects its code into the following process(es):

Explorer.EXE:1852

File activity

The process 705750.exe:1344 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\GoogleUpdate.exe (211 bytes)
%Program Files%\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\ \ \‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\GoogleUpdate.exe (211 bytes)
%Program Files%\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\ \ \‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\@ (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\@ (2 bytes)

The process dotnetfx.exe:1548 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\704609.exe (807120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\707343.exe (807120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\705750.exe (818664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\726625.bat (94 bytes)

The process 05b8f9d078f1d6277dd33855b391986b.exe:1996 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Qesy\yxme.exe (1738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NQB4FC3.bat (173 bytes)

The process yxme.exe:908 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5660 bytes)

Registry activity

The process 705750.exe:1344 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 7A F8 0C 6A B3 65 BA B2 5B B0 5A E9 21 D9 C9"

[HKLM\System\CurrentControlSet\Services\‮etadpug]
"Description" = "Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it."

[HKLM\System\CurrentControlSet\Services\‮etadpug]
"ObjectName" = "LocalSystem"

[HKLM\System\CurrentControlSet\Services\‮etadpug]
"DisplayName" = "Google Update Service (gupdate)"

[HKLM\System\CurrentControlSet\Services\‮etadpug]
"Type" = "16"

[HKLM\System\CurrentControlSet\Services\‮etadpug]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\‮etadpug]
"ImagePath" = "%Program Files%\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\ \ \‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\GoogleUpdate.exe <"

[HKLM\System\CurrentControlSet\Services\‮etadpug]
"Parameters" = "260"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\‮etadpug]
"Start" = "2"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\GoogleUpdate.exe >"

The Trojan-PSW deletes the following value(s) in system registry:
The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"

The process 704609.exe:700 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 28 EE 79 01 4E 4E 57 88 45 12 E3 99 83 71 7B"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1112458565"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "704609.exe"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "704609.exe"

The process Explorer.EXE:1852 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
"Sort" = "0"

[HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
"SortDir" = "1"

[HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
"Mode" = "1"

[HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
"Col" = "4294967295"

[HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
"ScrollPos1024x768(1).y" = "0"

[HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
"ScrollPos1024x768(1).x" = "0"

[HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
"ItemPos1024x768(1)" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\Shell\BagMRU]
"NodeSlots" = "02 02"

[HKCU\Software\Microsoft\Windows\Shell\BagMRU]
"MRUListEx" = "00 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
"ColInfo" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process dotnetfx.exe:1548 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\WinRAR]
"Client Hash" = "C0 35 68 10 26 ED 6F 34 05 3F 02 46 BF 37 D9 32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"707343.exe" = "Heretevt it(c)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\WinRAR]
"HWID" = "7B 34 38 36 39 37 34 31 46 2D 46 32 37 37 2D 34"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"726625.bat" = "726625"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\Administrator\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\Administrator\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"704609.exe" = "Heretevt it(c)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 93 7E E0 33 32 65 72 83 F8 C4 02 94 B6 D3 59"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"705750.exe" = "705750"

[HKCU\Software\WinRAR]
"D944BE5BD1968B8E952371E1502BEB12" = "74 72 75 65"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\WinRAR]
"99211F12C2DEE0422FAC83ED601900CD" = "74 72 75 65"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\Administrator\Local Settings\Application Data"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\WinRAR]
"Client Hash" = "C2 A3 3D B1 A0 0D D0 FE E5 B7 4D 7E 0F 87 0F 99"

[HKCU\Software\WinRAR]
"HWID" = "7B 36 30 31 39 42 33 35 45 2D 38 35 41 35 2D 34"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process 707343.exe:1256 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 8B 0F E0 9B 13 88 D5 69 7E 2A F3 20 F9 A9 72"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1112458565"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "707343.exe"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "707343.exe"

The process 05b8f9d078f1d6277dd33855b391986b.exe:1996 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 31 85 A3 2C C7 B3 61 68 EC FB 01 1C F6 69 A9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process yxme.exe:908 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 CE 26 B1 6A 54 7B F4 C6 9B 1F E0 DD A1 B3 35"

[HKCU\Software\Microsoft\Uxmezuaco]
"1456b995" = "MErx9TXh0Jowxw==r"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Network activity (URLs)

URL IP
hxxp://abestogo.com/dotnetfx.exe 66.175.221.70
hxxp://adelect.com/ponyb/gate.php 66.150.155.210
hxxp://01f30d0.netsolhost.com/K0ztqV8n.exe 205.178.152.26
hxxp://50.62.228.104/PRC.exe (Malicious)
hxxp://208.106.191.91/yYcyv6Re.exe (Malicious)
hxxp://j.maxmind.com/app/geoip.js 108.168.255.244
www.google.com 74.125.225.116


Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    705750.exe:1344
    704609.exe:700
    dotnetfx.exe:1548
    707343.exe:1256
    05b8f9d078f1d6277dd33855b391986b.exe:1996
    yxme.exe:908

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\GoogleUpdate.exe (211 bytes)
    %Program Files%\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\ \ \‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\GoogleUpdate.exe (211 bytes)
    %Program Files%\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\ \ \‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\@ (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\@ (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\704609.exe (807120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\707343.exe (807120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\705750.exe (818664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\726625.bat (94 bytes)
    %Documents and Settings%\%current user%\Application Data\Qesy\yxme.exe (1738 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NQB4FC3.bat (173 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Google Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Desktop\Install\{b7e61045-4723-1b6c-1424-e765e58dff38}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{b7e61045-4723-1b6c-1424-e765e58dff38}\GoogleUpdate.exe >"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now