Trojan-PSW.Win32.Zbot.4_f2f820d4c8

by malwarelabrobot on September 1st, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Kryptik.ake (v) (VIPRE), Trojan-PSW.Win32.Tepfer!IK (Emsisoft), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: f2f820d4c8b6ad7e5cd4c9d545ea40c5
SHA1: 07176f9f431094196e2d06e214e3482c2bf6d398
SHA256: 8690c579038825812540c39c14630497138c2ae0d02c824c8b89dbbae86e733b
SSDeep: 6144:pAOJaxOE5IKlytwNrFvG1xRCdZFPyERssfv3YTsDyXLSIc6LsD2WRzQ:pb8D5IKly/xRUFWJbXLPAJRc
Size: 309248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-06-16 14:22:34


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

uveshy.exe:2888
f2f820d4c8b6ad7e5cd4c9d545ea40c5.exe:2608

The Trojan-PSW injects its code into the following process(es):

ctfmon.exe:252

File activity

The process uveshy.exe:2888 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)

The process ctfmon.exe:252 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (5400 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4484 bytes)

The process f2f820d4c8b6ad7e5cd4c9d545ea40c5.exe:2608 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VVKF942.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Alaxan\uveshy.exe (1734 bytes)

Registry activity

The process uveshy.exe:2888 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 45 33 0C BE 07 AA 7C 35 A8 AB 70 83 39 4F 13"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Asadduujulyc]
"311d360a" = "OdbZKvIP eWseI7Ia"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process ctfmon.exe:252 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 8E ED 10 DC C0 02 7C EB 9E 72 E8 0F 93 D8 FE"

[HKCU\Identities]
"Last User ID" = "{6855BFC2-9E4A-4896-A11D-74388FBABDC2}"

[HKCU\Identities]
"Last Username" = "Main Identity"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkFolderRefresh" = "0"

[HKCU\Software\Microsoft\WAB\WAB4]
"FirstRun" = "1"

[HKCU\Identities]
"Identity Login" = "622675"

[HKCU\Software\Microsoft\Internet Account Manager]
"Server ID" = "4"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkContactRefresh" = "0"

[HKCU\Software\Microsoft\Asadduujulyc]
"35je3a50" = "0A D6 AD 2A"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Identities]
"Changing"

[HKCU\Identities]
"OutgoingID"

[HKCU\Identities]
"IncomingID"

The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process f2f820d4c8b6ad7e5cd4c9d545ea40c5.exe:2608 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C F7 30 00 09 EE A3 DE F8 C8 92 8A 39 A4 61 AA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Network activity (URLs)

No activity has been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    uveshy.exe:2888
    f2f820d4c8b6ad7e5cd4c9d545ea40c5.exe:2608

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VVKF942.bat (173 bytes)
    %Documents and Settings%\%current user%\Application Data\Alaxan\uveshy.exe (1734 bytes)

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now