Trojan-PSW.Win32.Zbot.4_79e2a08768
Trojan-Downloader.Win32.Small.cwlh (Kaspersky), Trojan.Win32.Zbot.aaw (v) (VIPRE), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 79e2a08768965e09066e50e3f010a95b
SHA1: 04a81fffe135fbe52a58d8085be91e5f891f36ab
SHA256: 99c850b7371b2803c73f464df5d3a39e369b76e3c728b8e879944ec1b0f10ea4
SSDeep: 768:IszBK UX1h5PXQqpuDf89WREEtdEI2MyzNORQtOflIwoHNM2XBFV7WBglC7 sBmW:FFDUX1PvQ88tdEI2MyzNORQtOflIwoH8
Size: 27648 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: WinterSoft
Created at: 2013-11-06 09:23:35
Summary:
Trojan-PSW. Trojan program intended for stealing users passwords.
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
refuh.exe:1176
refu.exe:2028
jypuh.exe:604
%original file name%.exe:484
The Trojan-PSW injects its code into the following process(es):
ctfmon.exe:536
File activity
The process refuh.exe:1176 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Ylcy\jypuh.exe (662016 bytes)
%Documents and Settings%\%current user%\Application Data\Ylcy (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OXWBCE5.bat (176 bytes)
The process refu.exe:2028 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\refuh.exe (592384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (160255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (48483 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\Andriod-Apps_32[1].exe (592384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (146652 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54009 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3.tmp (146652 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab2.tmp (48483 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3.tmp (0 bytes)
C:\79E2A08768965E09066E50E3F010A95B.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab2.tmp (0 bytes)
The process jypuh.exe:604 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT (196608 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (71168 bytes)
%Documents and Settings%\%current user% (28672 bytes)
The process %original file name%.exe:484 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\refu.exe (27730 bytes)
Registry activity
The process refuh.exe:1176 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 DF B5 7A D2 2F 8B 7D 3B C2 09 AB 74 E3 4E E4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process ctfmon.exe:536 makes changes in the system registry.
The Trojan-PSW deletes the following value(s) in system registry:
The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process refu.exe:2028 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43DDB1FFF3B49B73831407F6BC8B975023D07C50]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 00 53 1D 1D"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 E6 0B D2 C9"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4B421F7515F6AE8A6ECEF97F6982A400A4D9224E]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 5A 11 B9 22"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4072BA31FEC351438480F62E6CB95508461EAB2F]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 70 B5 7C 48"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 DD 75 3F 56"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4C95A9902ABE0777CED18D6ACCC3372D2748381E]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 4B 1C 56 8C"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E594945195F2414803B4D564D2A3A3F5D88B8C]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 C5 70 C4 A2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\209900B63D955728140CD13622D8C687A4EB0085]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 1E 74 C3 86"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24BA6D6C8A5B5837A48DB5FAE919EA675C94D217]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 7B B5 08 99"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4BA7B9DDD68788E12FF852E1A024204BF286A8F6]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 18 AE 69 5D"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\394FF6850B06BE52E51856CC10E180E882B385CC]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 AA BF BF 64"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 3E 80 17 5B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0048F8D37B153F6EA2798C323EF4F318A5624A9E]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 15 B2 98 A3"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp]
"refuh.exe" = "refuh"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий Ñтол"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4463C531D7CCC1006794612BB656D3BF8257846F]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 74 7B 82 03"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Рабочий Ñтол"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\216B2A29E62A00CE820146D8244141B92511B279]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 E1 4B 52 73"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\284F55C41A1A7A3F8328D4C262FB376ED6096F24]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 01 1A 3F 4D"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43F9B110D5BAFD48225231B0D0082B372FEF9A54]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 25 9D CF 5E"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F173F7DE99667AFA57AF80AA2D1B12FAC830338]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 AB BF EA E3"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 85 2F F4 76"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\049811056AFE9FD0F5BE01685AACE6A5D1C4454C]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 F2 7D E9 54"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 A9 23 75 9B"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36863563FD5128C7BEA6F005CFE9B43668086CCE]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 3A B2 DE 22"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 5E 45 AC D2 5C CA 90 F0 E3 65 9F 1E AC 0F 4E"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\273EE12457FDC4F90C55E82B56167F62F532E547]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 DB 23 3D F9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 50 E1 41 9D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 2A 5D 00 37"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 26 6D 2C 19"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0483ED3399AC3608058722EDBC5E4600E3BEF9D7]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 4C 56 41 E5"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47AFB915CDA26D82467B97FA42914468726138DD]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 50 19 3E 2F"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 03 42 87 D7"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F55E8839BAC30728BE7108EDE7B0BB0D3298224]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 8C D7 9F EB"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"43F9B110D5BAFD48225231B0D0082B372FEF9A54"
"4C95A9902ABE0777CED18D6ACCC3372D2748381E"
"0048F8D37B153F6EA2798C323EF4F318A5624A9E"
"3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA"
"273EE12457FDC4F90C55E82B56167F62F532E547"
"209900B63D955728140CD13622D8C687A4EB0085"
"4BA7B9DDD68788E12FF852E1A024204BF286A8F6"
"0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52"
"1F55E8839BAC30728BE7108EDE7B0BB0D3298224"
"049811056AFE9FD0F5BE01685AACE6A5D1C4454C"
"4463C531D7CCC1006794612BB656D3BF8257846F"
"40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC"
"24A40A1F573643A67F0A4B0749F6A22BF28ABB6B"
"4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C"
"36863563FD5128C7BEA6F005CFE9B43668086CCE"
"4B421F7515F6AE8A6ECEF97F6982A400A4D9224E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"216B2A29E62A00CE820146D8244141B92511B279"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"23E594945195F2414803B4D564D2A3A3F5D88B8C"
"47AFB915CDA26D82467B97FA42914468726138DD"
"317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6"
"00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099"
"24BA6D6C8A5B5837A48DB5FAE919EA675C94D217"
"2F173F7DE99667AFA57AF80AA2D1B12FAC830338"
"43DDB1FFF3B49B73831407F6BC8B975023D07C50"
"284F55C41A1A7A3F8328D4C262FB376ED6096F24"
"1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB"
"4072BA31FEC351438480F62E6CB95508461EAB2F"
"394FF6850B06BE52E51856CC10E180E882B385CC"
"4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"0483ED3399AC3608058722EDBC5E4600E3BEF9D7"
The process jypuh.exe:604 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 63 79 98 0E B0 A1 82 8C A3 78 1A B8 76 0A 3B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Yqtaitohekiz]
"1a3h35dj" = "e07GH6U/KSZVYTOUF7jHUd6B Ws="
The process %original file name%.exe:484 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 91 05 A9 81 4E 05 C6 1A 80 26 BA 2F EA 35 76"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий Ñтол"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий Ñтол"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp]
"refu.exe" = "refu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt |  |
| hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| www.download.windowsupdate.com | 23.3.90.249 |
| bethexfactor2010.com | 184.154.15.188 |
| getappsforpc.com | 184.154.15.188 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan-PSW installs the following user-mode hooks in Secur32.dll:
DecryptMessage
SealMessage
DeleteSecurityContext
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
refuh.exe:1176
refu.exe:2028
jypuh.exe:604
%original file name%.exe:484 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Application Data\Ylcy\jypuh.exe (662016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OXWBCE5.bat (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\refuh.exe (592384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (160255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (48483 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\Andriod-Apps_32[1].exe (592384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (146652 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54009 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3.tmp (146652 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab2.tmp (48483 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (196608 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (71168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\refu.exe (27730 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
