Trojan-PSW.Win32.Zbot.4_dcb67a539a

by malwarelabrobot on June 29th, 2014 in Malware Descriptions.

Trojan.Win32.Buzus.oepa (Kaspersky), Trojan.Downloader.JQEL (B) (Emsisoft), Trojan.Downloader.JQEL (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: dcb67a539af43913e2e4bec9ba658c22
SHA1: 432dde771b8502338b4e24f067d6b785f633d5dd
SHA256: 02b20aaad6f2763e76d212e34ba86b71b7772f09fefd7f72589b2c16b9851a43
SSDeep: 384:bAmt53ZsCQ4P GhplI 22rL7bJ0qLPXa0w1X jv9LLaPabo:bJHsCJ Ghg 22rL7bJ0qLPXa0NjF5s
Size: 21212 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company:
Created at: 2003-09-15 20:42:09
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

budha.exe:3012
kilf.exe:3980
dasu.exe:1692
%original file name%.exe:2856

The Trojan-PSW injects its code into the following process(es):

Explorer.EXE:1948

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process budha.exe:3012 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\profile_main[1].exe (1694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB3.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB2.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kilf.exe (1694 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (0 bytes)

The process kilf.exe:3980 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Hyaqe\dasu.exe (2734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VOA7720.bat (171 bytes)

The process dasu.exe:1692 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (5592 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4788 bytes)

The process %original file name%.exe:2856 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\budha.exe (21 bytes)

Registry activity

The process budha.exe:3012 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 B9 3D DB 25 F3 BB A6 4B 55 B3 2B 95 F7 53 B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"kilf.exe" = "Administrations und Wartungsprogramm fur SQLite Datenbankdateien"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process kilf.exe:3980 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 50 58 17 37 31 ED A4 43 B4 4B B4 E8 C9 A0 D9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process dasu.exe:1692 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 AE ED A6 DE B8 9F 44 26 AA 2E 27 08 EE 06 0D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Wyufhoefbiab]
"2h7af223" = "ggbUhRd1PpWf2Q==獹$"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process %original file name%.exe:2856 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E C3 A3 A3 61 A1 6A 2A 30 88 9D C9 46 C2 A0 F1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"budha.exe" = "budha"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Dropped PE files

MD5 File path
4a7fd6ae85d964a883b38dd42f91d256 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Hyaqe\dasu.exe
d611915ee96b7126f42bda5b05c7635e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\budha.exe
0154fecc492db496aa998636fc828e6d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\profile_main[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 4881 5120 4.31273 5bd78445669a0ae4a1cc746b58415314
.data 12288 6401 6656 2.50295 7d33a1ebe246d96662d74d4737d52af2
.idata 20480 2400 2560 3.76867 31c85b4df47dddf1d035a6ecf4a20157
.rsrc 24576 5252 5632 3.70321 f66a95fae4a4cfef8a00b2f6cd60d056

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 112
443ac8b40c16da3dddd8fde4e79583f4
ad282ed208a2d7f209250d9352c019cb
cf2ff9c9aa166241c71b70e9b273c2fa
6eeab38a66bdad7e74620b3bb7e2e2d4
ef00ebd83619981bb723ecca9e9bd12f
ca886b3281d6101221fa46fa1cbbafbb
b84c780fd81f8ed76232cdd373e6f1ce
a04291a2e50eb3b21f49e864abd24fa9
b1a14a3682ee83af0dfeb6de5e57493e
d034cb955d5030b4efbf73b0414e7f2e
d4cdcd1479acce93f3e6e90994693e39
d57df59ee627e452018a2494463fc41f
bcf6888054e2f379fbfd83d66a68c8a1
b45657e95311ab4a0d09d61049992c2f
d56ed696fa61b976f1666c2a25b29793
c0c0a9f37dae7bafc1eb553a096e319e
db494490e1b2fa67fc0355637e5ef4ba
cd2ca8db18fb5125d67945ba6d19eb21
c59c9e1e23b88998aaaab752e496ff6e
b3d7f2882f5bc72f551311a7969cb8f6
af30768ff92488278c8f34cb0950fed9
ac2471c932b5a12b630cf95f27012741
a7ad11374e88cc4684008773f353e24c
db60c5acc635f457069fc437704b7c14
d49b2a36223ac79149389ef726088a9a

URLs

URL IP
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 72.247.8.51
robotvacuumhut.com 38.99.254.69


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=10675
Date: Sat, 28 Jun 2014 08:11:43 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=10675..Date: Sat, 28 Jun 2014 08
:11:43 GMT..Connection: keep-alive..X-CCC: CA..X-CID: 2..1401CF3DB40B6
09892..

The Trojan-PSW connects to the servers at the folowing location(s):

Explorer.EXE_1948_rwx_023F0000_00048000:

.text
`.data
.reloc
Invalid parameter passed to C runtime function.
)"4(7*
!*< ?"4'
0123456789
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
http://www.google.com/
http://www.bing.com/
REPORT
gdiplus.dll
GdiplusShutdown
RegDeleteKeyExW
HTTP/1.1
m9.td
t.Ht$HHt
ntdll.dll
KERNEL32.dll
ExitWindowsEx
MsgWaitForMultipleObjects
GetKeyboardState
USER32.dll
CryptGetKeyParam
CryptImportKey
CryptDestroyKey
RegCreateKeyExW
RegCloseKey
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegFlushKey
RegEnumKeyExW
ADVAPI32.dll
PathIsURLW
UrlUnescapeA
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
ole32.dll
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
IPHLPAPI.DLL
VERSION.dll
msvcrt.dll
zcÁ
: :$:(:,:0:4:
7!7%7)7-7175797
4-5}5
:":(:3:9:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s
"%s" %s
/c "%s"
kernel32.dll
urlmon.dll
launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe
shell32.dll
\StringFileInfo\xx\%s
cabinet.dll
Wadvapi32.dll
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Local Settings\Application Data
Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    budha.exe:3012
    kilf.exe:3980
    dasu.exe:1692
    %original file name%.exe:2856

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\profile_main[1].exe (1694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarB3.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabB2.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kilf.exe (1694 bytes)
    %Documents and Settings%\%current user%\Application Data\Hyaqe\dasu.exe (2734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VOA7720.bat (171 bytes)
    %Documents and Settings%\%current user%\ntuser.dat.LOG (5592 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT (4788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\budha.exe (21 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now