Trojan-PSW.Win32.Zbot.4_d3ed63308f

by malwarelabrobot on July 9th, 2013 in Malware Descriptions.

Trojan.Win32.Inject.fvah (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-Ransom.Win32.Blocker!IK (Emsisoft), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Ransom, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: d3ed63308f8fc9341ce516b461d5ec9f
SHA1: a7bc29e2bd1caa88fbedbfecf11fd9176c029f14
SHA256: e1f6de0b8e14809b6a41e9192e8180e24866aa2abe00283c87c59b4b69d67224
SSDeep: 6144:UbfN4fge2o9FUKi9H1hdxOEG/YYakUkcLtyQur0Mqr 7C1Xw:Wfyb2E25d3ARaksLtyQuACYA
Size: 315392 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SetupManager
Created at: 2003-11-14 01:15:40


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.
Ransom. Disables the compromised computer or restricts access to certain data so that the victim can no longer use it. The victim is expected to send payment to the hijacker to restore access to the blocked data or re-enable the system.

Process activity

The Trojan-PSW creates the following process(es):

fuleym.exe:924
d3ed63308f8fc9341ce516b461d5ec9f.exe:1996

The Trojan-PSW injects its code into the following process(es):

File activity

The process fuleym.exe:924 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5660 bytes)

The process d3ed63308f8fc9341ce516b461d5ec9f.exe:1996 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IKQD03D.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Teedd\fuleym.exe (1740 bytes)

Registry activity

The process fuleym.exe:924 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 9F 93 23 BD 7F 07 12 F3 08 48 84 34 EB 1B 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Vuotkehymeo]
"1a70511a" = "3A CC F3 EB 12 DF"

The process d3ed63308f8fc9341ce516b461d5ec9f.exe:1996 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D AA 65 6E 82 6C E4 60 7A 65 9B 2A E6 BA EB AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Network activity (URLs)

URL: hxxp://www.google.ca/ IP: 74.125.226.247 Country: United States
URL: www.google.com IP: 74.125.226.241

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    fuleym.exe:924
    d3ed63308f8fc9341ce516b461d5ec9f.exe:1996

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IKQD03D.bat (173 bytes)
    %Documents and Settings%\%current user%\Application Data\Teedd\fuleym.exe (1740 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now