Trojan-PSW.Win32.Zbot.4_8788e60420

by malwarelabrobot on September 14th, 2013 in Malware Descriptions.

Trojan.Win32.Bublik.beuk (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 8788e60420f2a977fc275f7ca8eb3066
SHA1: e170d1584c5df27257b6610a4e1db850b37ad0ee
SHA256: d0b2ac1d771d128a3c4f02bc1dc38cd7a861397cee70d6924aef0101446d8385
SSDeep: 768:DS7nh4aQC9xkV1tdgI2MyzNORQtOflIwoHNV2XBFV72B4lA7ZsUI 1:DS7nK8eztdgI2MyzNORQtOflIwoHNV2
Size: 25796 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: SoftSafe
Created at: 2013-09-11 17:03:48


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

ffengh.exe:2684
aqicn.exe:3948
hfsrfgs.exe:684

The Trojan-PSW injects its code into the following process(es):

load162.exe:4068
ctfmon.exe:252

File activity

The process ffengh.exe:2684 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (52 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hfsrfgs.exe (1755 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\1otp[1].exe (1755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process load162.exe:4068 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\tuzeavobxacx.exe (50 bytes)

The process ctfmon.exe:252 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (6384 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5228 bytes)

The process aqicn.exe:3948 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (7464 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4836 bytes)

The process hfsrfgs.exe:684 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Otciv\aqicn.exe (3547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RQGBA1F.bat (177 bytes)

Registry activity

The process ffengh.exe:2684 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 EA 2E EE 95 D9 B6 D2 4F 7C 89 E9 38 D6 B2 CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"hfsrfgs.exe" = "Thick Set"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process load162.exe:4068 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 92 1F 47 F0 B2 E8 9B 3D DA 2E CF EC 50 14 05"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"tuzeavobxacxzap" = "1C F3 CB A3 7B C6 9E 76 4E 26 FD D5 AD 85 5D 35"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "06 DD B5 8D 65 3D 15 EC C4 9C 74 BF 97 6F 47 1F"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"tuzeavobxacx" = "%Documents and Settings%\%current user%\tuzeavobxacx.exe"

The process ctfmon.exe:252 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 4E C8 45 6B 78 58 EE F3 EB 22 13 BC 59 2E F2"

[HKCU\Identities]
"Last User ID" = "{6855BFC2-9E4A-4896-A11D-74388FBABDC2}"

[HKCU\Identities]
"Last Username" = "Main Identity"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkFolderRefresh" = "0"

[HKCU\Software\Microsoft\WAB\WAB4]
"FirstRun" = "1"

[HKCU\Identities]
"Identity Login" = "622675"

[HKCU\Software\Microsoft\Ozmyurmixeyg]
"6d8473g" = "8g27Tg=="

[HKCU\Software\Microsoft\Internet Account Manager]
"Server ID" = "4"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkContactRefresh" = "0"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Identities]
"Changing"

[HKCU\Identities]
"OutgoingID"

[HKCU\Identities]
"IncomingID"

The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process aqicn.exe:3948 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 30 93 C3 E9 15 89 64 C7 D5 51 B5 E0 57 15 14"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Ozmyurmixeyg]
"31f3h6a" = "xw3UTlW4xp0IUM9T"

The process hfsrfgs.exe:684 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 C8 B1 6F C9 01 A8 DB 25 E6 48 4C FC 8C D8 13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Network activity (URLs)

URL IP
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
www.download.windowsupdate.com 23.3.98.34


Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ffengh.exe:2684
    aqicn.exe:3948
    hfsrfgs.exe:684

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (52 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hfsrfgs.exe (1755 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\1otp[1].exe (1755 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
    %Documents and Settings%\%current user%\tuzeavobxacx.exe (50 bytes)
    %Documents and Settings%\%current user%\ntuser.dat.LOG (6384 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT (5228 bytes)
    %Documents and Settings%\%current user%\Application Data\Otciv\aqicn.exe (3547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RQGBA1F.bat (177 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "tuzeavobxacx" = "%Documents and Settings%\%current user%\tuzeavobxacx.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now