Trojan-PSW.Win32.Zbot.4_66ab4df1a7

by malwarelabrobot on July 15th, 2013 in Malware Descriptions.

Trojan.Win32.Kryptik.ake (v) (VIPRE), Trojan-Ransom.Win32.Blocker!IK (Emsisoft), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Ransom, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 66ab4df1a764108b892997349b944c3a
SHA1: 940be43bf8ebb900a5a01467ab778a0bf2ef1c94
SHA256: 4033b0a678d8ed98166f8278a8cc2d27f68dadd035df67909e880ef35369f9db
SSDeep: 6144:PxeOqfge2OjRxpjC5cQFFo2qoDo5/Ywv/wBgBX2BvICibBEy6F:5eb2qCzFUoDW//vaGGV60F
Size: 315392 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2003-11-14 01:15:40


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

ntvdm.exe:2008
66ab4df1a764108b892997349b944c3a.exe:1644
hiyfec.exe:1732

The Trojan-PSW injects its code into the following process(es):

heap52.exe:348

File activity

The process ntvdm.exe:2008 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (2356 bytes)
%Program Files%\Windows Media Player (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%WinDir%\Temp (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\Installer (8 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
C:\Perl\lib (40 bytes)
%WinDir%\Help (248 bytes)
%Documents and Settings%\Default User (540 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (192 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%Program Files%\Movie Maker (4 bytes)
%Program Files%\Windows NT (4 bytes)
%System% (4596 bytes)
%Program Files%\COMMON FILES (4 bytes)
C:\Perl\eg (4 bytes)
%WinDir%\msagent (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%Program Files%\Wireshark (196 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\scs1.tmp (33872 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%WinDir%\security (4 bytes)
C:\Perl\html (8 bytes)
%Documents and Settings%\LocalService (4 bytes)

The Trojan-PSW deletes the following file(s):

%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)

The process 66ab4df1a764108b892997349b944c3a.exe:1644 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GKF6279.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Ihev\hiyfec.exe (1740 bytes)

The process hiyfec.exe:1732 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7160 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5180 bytes)

The process heap52.exe:348 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\adm.wab (2028 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\adm.wab~ (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSWQD.tmp (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSWQC.tmp (11919 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MPS3.tmp (4896 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MPS3.tmp (0 bytes)

Registry activity

The process ntvdm.exe:2008 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 59 6E B4 44 01 EB 07 84 0B 8D B1 C1 B2 94 11"

The process 66ab4df1a764108b892997349b944c3a.exe:1644 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 67 35 7B 0D 2E 4A 30 D3 CE B7 6C AD B9 6C 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process hiyfec.exe:1732 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 54 0D 44 3E 9A 26 CD AF A4 51 A9 42 13 57 EE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Ankaasliec]
"fa3g16" = "nKiQoAPdWwR7/x tNZc="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process heap52.exe:348 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"VendorId" = "65 5E A2 BE BF 82 C9 48 9C 2B A2 DD F1 AF FE 34"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Account Manager]
"Server ID" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkFolderRefresh" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Account Manager\Accounts]
"AssociatedID" = "13 0C E8 37 45 CB CE 4D A4 38 54 5B 79 14 76 AC"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF D9 9F 66 F0 03 4B 53 C6 B8 73 03 28 CE 04 F4"

[HKCU\Software\Microsoft\WAB\WAB4]
"FirstRun" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkContactRefresh" = "0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\QBW463F]
"/heap52.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\QBW463F\/heap52.exe:*:Enabled:Microsoft Office"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Identities]
"Changing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Identities]
"IncomingID"

[HKCU\Identities]
"OutgoingID"

Network activity (URLs)

URL IP Country
hxxp://iwvsales.com/bc.exe 63.143.39.130
hxxp://masterprinters.com/heap52.exe (Malicious) 208.113.241.82
hxxp://shuffleset.com/ 46.165.223.153


Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ntvdm.exe:2008
    66ab4df1a764108b892997349b944c3a.exe:1644
    hiyfec.exe:1732

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (2356 bytes)
    %Program Files%\Windows Media Player (4 bytes)
    %WinDir%\Temp (4 bytes)
    %Program Files%\Internet Explorer (4 bytes)
    %WinDir%\Installer (8 bytes)
    %WinDir%\SoftwareDistribution (4 bytes)
    C:\Perl\lib (40 bytes)
    %WinDir%\Help (248 bytes)
    %Documents and Settings%\Default User (540 bytes)
    %Documents and Settings%\All Users (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
    %WinDir%\Microsoft.NET (4 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %WinDir%\$hf_mig$ (8 bytes)
    %Program Files%\Movie Maker (4 bytes)
    %Program Files%\Windows NT (4 bytes)
    %System% (4596 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    C:\Perl\eg (4 bytes)
    %WinDir%\msagent (4 bytes)
    %Documents and Settings%\NetworkService (4 bytes)
    %Program Files%\Wireshark (196 bytes)
    %WinDir%\assembly (4 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
    %WinDir%\Temp\scs1.tmp (33872 bytes)
    %WinDir%\ime (4 bytes)
    %Documents and Settings%\All Users\Application Data (4 bytes)
    %WinDir%\Temp\scs2.tmp (10145 bytes)
    %WinDir%\security (4 bytes)
    C:\Perl\html (8 bytes)
    %Documents and Settings%\LocalService (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GKF6279.bat (173 bytes)
    %Documents and Settings%\%current user%\Application Data\Ihev\hiyfec.exe (1740 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (7160 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\adm.wab (2028 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\adm.wab~ (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MSWQD.tmp (85 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MSWQC.tmp (11919 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MPS3.tmp (4896 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now