For Consumer

Virus Profile: PWS-Zbot

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/19/2007
Date Added: 12/19/2007
Origin: N/A
Length: varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 7137
Removal Instructions
   
 
 
   

Description

----------------------------------------------------------------------------Updated on 14th Mar 2014-------------------------------------------------------------------------------

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Kaspersky    -    Trojan-PSW.Win32.Tepfer.tmhs
  • Symantec    -    Trojan.Zbot
  • Nod32        -    Win32/PSW.Fareit.A
  • Drweb        -    Trojan.PWS.Stealer.12713
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

Indication of Infection

    • PWS-Zbot may prevent some applications to be started.
    • Existence of the aforementioned files and registry entries
    • Existence of communications to the aforementioned domains
    • Unexpected HTTP traffic.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Aliases

Zeus
   

Virus Characteristics

----------------------------------------------------------------------------Updated on 14th Mar 2014-------------------------------------------------------------------------------

 “PWS-Zbot” is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker.

The Trojan tries to delete itself from the current location by dropping a bat file with the following code.

del "%s"
if exist "%s" goto d
@echo off
del /F "%s"

Upon Execution, the Trojan drops file into the following location:

  • %AppData%\Microsoft\Address Book\Userprofile.wab
  • %Temp%\Agubu\eleh.exe
  • %Temp%\Vefe\cehy.exe
  • %Windir%\system32\drivers\aa7f0a56507de62.sys
The following are the folders created by the Trojan
  • %AppData%\Microsoft\Address Book
  • %Temp%\Agubu
  • %Temp%\Vefe
Upon execution the Trojan tries to connect to the following IP address.
  • 62[Removed]179[Removed]clodo.ru
  • 62[Removed]190[Removed]clodo.ru
  • 99[Removed]66.193
  • 180[Removed]45.40
  • 115[Removed]143.176
  • 99[Removed]80.46
  • 91[Removed]136[Removed]dynip[Removed]de
  • 119[Removed]162[Removed]rev[Removed]ne.jp
  • 213[Removed]192.140
  • 27[Removed]110.77
  • 82[Removed]60.98
  • 125[Removed]34.229
  • 207[Removed]93[Removed]stat[Removed]net
  • 74[Removed]76.62
  • 140[Removed]76.62
  • 193[Removed]122.99
  • 99[Removed]66[Removed]speed[Removed]global.net
  • 34[Removed]172.119
The following are the registry key added to the system
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Yxarkeephik
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\Wab File Name
The following registry key values have been added to the system.
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
The above mentioned registry key ensure that the Trojan disables the “firewall disable notification message” settings.
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Jaaxaw: " % Temp%\Agubu\eleh.exe"
The above registry entry makes sure that the malware gets executed on every time when the system startup
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\
    • LDAP Server ID: 0x00000003
    • Account Name: "WhoWhere Internet Directory Service"
    • LDAP Server: "ldap.whowhere.com"
    • LDAP URL: "http://www.whowhere.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\
    • LDAP Server ID: 0x00000002
    • Account Name: "VeriSign Internet Directory Service"
    • LDAP Server: "directory.verisign.com"
    • LDAP URL: "http://www.verisign.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Search Base: "NULL"
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\
    • LDAP Server ID: 0x00000001
    • Account Name: "Bigfoot Internet Directory Service"
    • LDAP Server: "ldap.bigfoot.com"
    • LDAP URL: "http://www.bigfoot.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\
    • LDAP Server ID: 0x00000000
    • Account Name: "Active Directory"
    • LDAP Server: "NULL"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000002
    • LDAP Simple Search: 0x00000000
    • LDAP Bind DN: 0x00000000
    • LDAP Port: 0x00000CC4
    • LDAP Resolve Flag: 0x00000001
    • LDAP Secure Connection: 0x00000000
    • LDAP User Name: "NULL"
    • LDAP Search Base: "NULL"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\
    • PreConfigVer: 0x00000004
    • PreConfigVerNTDS: 0x00000001
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\
    • Server ID: 0x00000004
    • Default LDAP Account: "Active Directory GC"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Yxarkeephik\2h6992cb: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Yxarkeephik\2c920hed: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Yxarkeephik\1cc0f881: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Yxarkeephik\30j55hag: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Yxarkeephik\22b3680g: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\Wab File Name\: "%AppData%\Microsoft\Address Book\AVERT.wab"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\OlkContactRefresh: 0x00000000
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\OlkFolderRefresh: 0x00000000
  • HKEY_USERS\S-1-5-21[Varies]\Software\WinRAR\HWID: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\WinRAR\0DFCBFC01E897F033E973D376B5A64B1: 74 72 75 65
  • HKEY_USERS\S-1-5-21[Varies]\Software\WinRAR\DCD1D8601361177F76D44E0CDDBBF4F2: 74 72 75 65
  • HKEY_USERS\S-1-5-21[Varies]\Software\WinRAR\5CF83707AE20CDC6DA2AFFB51D362E21: 74 72 75 65

The following are the games process that the Trojan tries to inject itself.

  • tellerplus
  • bancline
  • fidelity
  • micrsolv
  • bankman
  • vantiv
  • episys
  • jack henry
  • cruisenet
  • gplusmain
  • launchpadshell.exe
  • dirclt32.exe
  • wtng.exe
  • prologue.exe
  • silverlake
  • pcsws.exe
  • v48d0250s1
  • fdmaster.exe
  • fastdoc

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------Updated on Nov 15, 2013-----------------------------------

Aliases

  • Microsoft    -    PWS:Win32/Zbot
  • Nod32        -    Win32/Spy.Zbot.AAU
  • Ikarus        -     Trojan-PWS.Win32.Zbot

Characteristics –


PWS-Zbot” is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker. 

PWS-Zbot” steals information from stored passwords, cache and cookies of the following browsers and it also monitors their behavior.

  • Chrome
  • Firefox
  • Internet Explorer

Upon execution the Trojan tries to inject the file in svchost.exe Following is the abbreviated list of banking sites targeted by this bot; it’s found in the decrypted configuration file.

  • hxxps://on[Removed]o.com/signon*
  • hxxps://www.p[Removed]l.com/*/webscr?cmd=_account
  • hxxps://www.pa[Removed]scr?cmd=_login-done*
  • hxxps://www#.u[Removed]Banking/LoginRouter
  • hxxps://easywe[Removed]FinancialSummaryServlet*
  • hxxps://www#.ci[Removed]ndex-wait.jsp
  • hxxps://onli[Removed]om/OLB/secure/AccountList.aspx
  • hxxps://www.su[Removed]rentname=Login*
  • hxxps://www.5[Removed]e/index.html*
  • hxxps://web.d[Removed]emberHomepage*
  • hxxps://onlin[Removed]toWelcome
  • hxxps://onlin[Removed]spx?targetPage=AccountSummary
  • hxxps://online[Removed]ccounts.aspx?referrer=authService
  • hxxps://res[Removed]counts.aspx
  • hxxps://banca[Removed]et/PProxy?*
  • hxxps://extr[Removed]lares.htm
  • hxxps://banes[Removed]Empresas.htm
  • hxxps://empre[Removed]s/servlet/webempresas.servlets.*
  • hxxps://www.gru[Removed]s=acceso*
  • hxxps://www.bbvane[Removed]/login_bbvanetoffice.html
  • hxxps://www.bancaj[Removed]m/ControlEmpresas*
  • hxxps://www.ci[Removed]k.de*
  • hxxps://pro[Removed]in/main.asp*
  • hxxps://ib[Removed]ys.com/logon/icebapplication*
  • hxxps://ib[Removed]ys.co.uk/olb/x/LoginMember.do
  • hxxps://on[Removed]b.com/customer.ibc
  • hxxps://onli[Removed]sb.co.uk/customer.ibc
  • hxxps://www.da[Removed].com*
  • hxxp://www.hs[Removed]ernet-banking*
  • hxxps://www.n[Removed]b.com/Login.aspx*
  • hxxps://home.yb[Removed]gin.html*
  • hxxps://home.cb[Removed]gin.html*
  • hxxps://wel[Removed]nk.co.uk/CBIBSWeb/start.do
  • hxxps://we[Removed]b/start.do
  • hxxps://www.ha[Removed]o.uk/_mem_bin/formslogin.asp*
  • hxxps://www2.b[Removed].es/AppBPE/servlet/servin*
  • hxxps://www.ban[Removed].com/es/*
  • hxxps://pa[Removed]res.bancopastor.es/SrPd*
  • hxxps://intel[Removed]/2043/entrada/01entradaencrip.htm
  • hxxps://www.caj[Removed]i-bin/INclient_2031
  • hxxps://www.fib[Removed]um.es/BasePage.aspx*
  • hxxps://car[Removed].es/banca3/tx0011/0011.jsp
  • hxxps://www.ca[Removed]al.com/home/acceso.asp
  • hxxps://www.caj[Removed]to.es/2106/*
  • hxxps://www.cla[Removed]bin/INclient_7054
  • hxxps://www.caj[Removed]rver/vitalnet*
  • hxxps://ba[Removed]n/INclient.jsp
  • hxxps://www.ca[Removed]n/INclient_6094
  • hxxps://www.cai[Removed]ec_1/oficinacodigo.jsp
  • hxxp://caix[Removed]2/tx0011/0011.jsp
  • hxxps://www.cai[Removed]in/INclient_2045
  • hxxps://www.cai[Removed]bin/INclient_2042
  • hxxps://www.caja[Removed]Circulo/acceso.jsp
  • hxxps://ar[Removed]og/bogbsn*
  • hxxps://www.bgn[Removed].com/niloinet/login.jsp
  • hxxps://www.caixa[Removed]-bin/INclient_2030*
  • hxxps://www.un[Removed]rtalServlet*
  • hxxps://www.sabade[Removed]/es/*
  • hxxps://oi.caja[Removed]rid/oi/pt_oi/Login/login
  • hxxps://www.caja[Removed]/INclient_6010*
  • hxxps://extra[Removed]ge/OtrosLogin/LoginIBanesto.htm
  • hxxps://monte[Removed]cgi-bin/INclient_2098*
  • hxxps://www.caja[Removed]INclient_6065
  • hxxps://oie.caja[Removed]drid/oie/pt_oie/Login/login_oie_1
  • hxxps://www.gru[Removed]jsp/login.jsp
  • hxxps://ba[Removed]ancoposta/formslogin.asp
  • hxxps://priva[Removed]gin/IN/box_login.jspe
  • hxxps://hb.qu[Removed]m
  • hxxps://www.iw[Removed]ex_pub.jhtml*
  • hxxps://we[Removed]orms/login.fcc
  • hxxps://www.isi[Removed]g/sso.Login*

It may also creates a run entry in the below location in order to execute itself upon system boot.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
                       o    {Random UID} = %AppData%\[Random Named Folder]\[Random FileName]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

                    o    "Userinit" = "%System%\userinit.exe, %System%\sdra64.exe"

It also checks Internet Explorer security settings by adding and modifying following registry entries:

  • HKEY_USERS\Software\Microsoft\Internet Explorer\Privacy CleanCookies = 0x00000000
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1609 = 0x00000000
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1406 = 0x00000000
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1609 = 0x00000000
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609 = 0x00000000
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406 = 0x00000000
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 = 0x00000000
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1406 = 0x00000000
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1609 = 0x00000000

The Trojan uses the following commands to collect system information from the infected machine and send it to the remote attacker

  • GetNativeSystemInfo
  • GetKeyboardLayoutList
  • GetKeyboardState
  • GetSystemPowerStatus
  • GetUserNameExW
  • getaddrinfo
  • NetUserGetInfo
  • _getFirefoxCookie

The Trojan checks for the following products which are installed in the compromised machine:

  • SafenSoft
  • SysWatch
  • McAfee
  • McAfee
  • Security Center
  • McAfee
  • SecurityCenter
  • Symantec
  • Client
  • Symantec
  • Protection
  • Symantec
  • Shared
  • Symantec
  • Security
  • Norton
  • Protection
  • Kaspersky
  • Security
  • Kaspersky
  • Anti-Virus
  • avast!
  • Antivirus
  • AntiVir
  • Desktop
  • AVG
  • Monitor
  • AVG
  • Service
  • AVG
  • Security
  • ESET
  • Security
  • ESET
  • Antivirus
  • Microsoft
  • Inspection
  • Microsoft
  • Malware
  • Microsoft
  • Security
  • The Trojan creates Mutex using the following commands
  • ReleaseMutex
  • CreateMutexW
  • OpenMutexW
  • The following strings confirm that the Trojan tries to connect internet:
  • HttpQueryInfoA
  • InternetConnectA
  • InternetSetStatusCallbackA
  • InternetCrackUrlA
  • HttpAddRequestHeadersW
  • HttpOpenRequestA
  • HttpAddRequestHeadersA
  • InternetOpenA
  • InternetCloseHandle
  • HttpSendRequestExA
  • HttpSendRequestExW
  • InternetQueryDataAvailable
  • InternetReadFileExA
  • InternetReadFile
  • HttpSendRequestW
  • GetUrlCacheEntryInfoW
  • InternetSetStatusCallbackW
  • HttpOpenRequestW
  • InternetGetCookieA
  • InternetSetFilePointer
  • HttpEndRequestA
  • HttpSendRequestA
  • HttpEndRequestW
  • InternetQueryOptionA
  • InternetQueryOptionW
  • InternetSetOptionA


-----------------------------------Updated on July 31 2013-----------------------------------

Aliases

  • Microsoft    -     PWS:Win32/Fareit
  • Kaspersky    -     Trojan-PSW.Win32.Tepfer.ongv
  • Symantec    -     Trojan.Zbot
  • ESET-Nod32    -     Win32/Kryptik.BGWL trojan

“pws-zbot” is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker. The Trojan may delete itself after the execution.  


 “pws-zbot” steals information from stored passwords, cache and cookies from the following applications:

  • E-mail client
  • Browser
  • FTP client

Upon Execution, the Trojan drops file into the following location:

  • %AppData%\Microsoft\Address Book\AVERT.wab
  • %AppData%\ Qaez\tuojup.exe

The following are the folders created by the Trojan

  • %AppData%\Microsoft\Address Book
  • %AppData%\ Qaez


Upon execution the Trojan injects code into explorer.exe and tries to connect to the following URL through the port http/8080.

  • hxxp://webmail.[Removed]:8080/ponyb/gate.php
  • hxxp://alsul.[Removed]080/ponyb/gate.php
  • hxxp://webmail.alsultan.[Removed]b/gate.php
  • hxxp://198.57. .[Removed]ate.php
  • hxxp://a1br.[Removed]/aiswY6.exe
  • hxxp://www.gif.[Removed]itive.com/kQYjoPqY.exe
  • hxxp://198. .[Removed]75.exehxxp://paulal.[Removed]uBwFA.exe
  • 93[Removed]174.80
  • 198[Removed]130.34
  • 76[Removed]128.210
  • 208[Removed]243.4
  • 198[Removed]134.93
  • 67[Removed]111.179

The following are the registry key added to the system

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\Wab File Name
  • HKEY_USERS\S-1-5-21[Varies]\Software\ WinRAR
The following registry key values have been added to the system.
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
The above mentioned registry key ensure that the Trojan disables the “firewall disable notification message” settings.
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\ Tuojup:""%AppData%\ Qaez\tuojup.exe""
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\
    • LDAP Server ID: 0x00000003
    • Account Name: "WhoWhere Internet Directory Service"
    • LDAP Server: "ldap.whowhere.com"
    • LDAP URL: "http://www.whowhere.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\
    • LDAP Server ID: 0x00000002
    • Account Name: "VeriSign Internet Directory Service"
    • LDAP Server: "directory.verisign.com"
    • LDAP URL: "http://www.verisign.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Search Base: "NULL"
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\
    • LDAP Server ID: 0x00000001
    • Account Name: "Bigfoot Internet Directory Service"
    • LDAP Server: "ldap.bigfoot.com"
    • LDAP URL: "http://www.bigfoot.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\
    • LDAP Server ID: 0x00000000
    • Account Name: "Active Directory"
    • LDAP Server: "NULL"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000002
    • LDAP Simple Search: 0x00000000
    • LDAP Bind DN: 0x00000000
    • LDAP Port: 0x00000CC4
    • LDAP Resolve Flag: 0x00000001
    • LDAP Secure Connection: 0x00000000
    • LDAP User Name: "NULL"
    • LDAP Search Base: "NULL"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\
    • PreConfigVer: 0x00000004
    • PreConfigVerNTDS: 0x00000001
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\
    • Server ID: 0x00000004
    • Default LDAP Account: "Active Directory GC"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\i98hh0j: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\1247h7b1: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\2ih341a1: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\1a9i7j80: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\g7f0dh4: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\339g9i47: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\2de6ab9h: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\150ghcj5: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\3478a1ca: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Ekakbiebadky\104ehegf: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\Wab File Name\: "%AppData%\Microsoft\Address Book\AVERT.wab"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4
    • OlkContactRefresh: 0x00000000
    • OlkFolderRefresh: 0x00000000
  • HKEY_USERS\S-1-5-21[Varies]\Software\WinRAR\HWID: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\WinRAR\Client Hash: F2 1C 9D 5F 8F 23 38 8C 79 0A B5 1B 5E AE 89 EA
  • HKEY_USERS\S-1-5-21[Varies]\Software\WinRAR\ 04D59F4A8F58F0DDDC2F71BB0D660EEE: 74 72 75 65
  • HKEY_USERS\S-1-5-21[Varies]\Software\WinRAR\ 05460A6B508F701CB02B5EC45236BF1D: 74 72 75 65
  • HKEY_USERS\S-1-5-21[Varies]\Software\WinRAR\ 05460A6B508F701CB02B5EC45236BF1D: 74 72 75 65

The following is the information collected from the infected machine and sends to the remote attacker through remote port 8080:

  • GetUserNameA
  • Gethostbyname
  • GetLocaleInfoA
  • GetSystemInfo

The Trojan steals stored passwords, cache and cookies from the following applications.

  • Opera
  • Firefox
  • Internet Explorer
  • Google Chrome
  • Windows Live Mail
  • Thunderbird
  • Bromium
  • Nichrome
  • Comodo
  • RockMelt
  • Visicom Media
  • Chromium
  • Global Downloader
  • NetSarang
  • Cyberduck
  • Pocomail
  • BatMail
  • NCH Software

The Trojan steals stored server names, port numbers, login IDs and passwords from the below mentioned FTP clients application.

  • FileZilla
  • BulletProof FTP
  • SmartFTP
  • CuteFTP 6,7,8
  • CuteFTP Lite
  • CuteFTP Pro
  • COREFTP
  • TurboFTP
  • Robo-FTP 3.7
  • LinasFTP
  • FFFTP
  • FTP Explorer
  • ClassicFTP
  • Frigate3
  • VanDyke
  • FTPRush
  • LeapFTP
  • FTPHost
  • Ghisler
  • WinFTP
  • PuTTY

Once executed the Trojan attempts to connect to the Administrator account on the remote machine. The Trojan uses the following passwords to brute force the account:

  • diamond
  • hope
  • maggie
  • maverick
  • online
  • spirit
  • george
  • friends
  • dallas
  • adidas
  • 1q2w3e
  • orange
  • testtest
  • asshole
  • apple
  • biteme
  • william
  • mickey
  • asdfgh
  • wisdom
  • batman
  • michelle
  • david
  • eminem
  • scooter
  • asdfasdf
  • sammy
  • baby
  • samantha
  • maxwell
  • justin
  • james
  • chicken
  • danielle
  • iloveyou2
  • fuckoff
  • prince
  • junior
  • rainbow
  • fuckyou1
  • nintendo
  • peanut
  • none
  • church
  • bubbles
  • robert
  • destiny
  • loving
  • gfhjkm
  • mylove
  • jasper
  • hallo
  • cocacola
  • helpme
  • nicole
  • guitar
  • billgates
  • looking
  • scooby
  • joseph
  • genesis
  • forum
  • emmanuel
  • cassie
  • victory
  • passw0rd
  • foobar
  • ilovegod
  • nathan
  • blabla
  • digital
  • peaches
  • football1
  • power
  • thunder
  • gateway
  • iloveyou!
  • football
  • tigger
  • corvette
  • angel
  • killer
  • creative
  • google
  • zxcvbnm
  • startrek
  • ashley
  • cheese
  • sunshine
  • christ
  • soccer
  • qwerty1
  • friend
  • summer
  • merlin
  • phpbb
  • jordan
  • saved
  • dexter
  • viper
  • winner
  • sparky
  • windows
  • 123abc
  • lucky
  • anthony
  • jesus
  • ghbdtn
  • admin
  • hotdog
  • baseball
  • password1
  • dragon
  • trustno1
  • jason
  • internet
  • mustdie
  • john
  • letmein
  • mike
  • knight
  • jordan23
  • abc123
  • red123
  • praise
  • freedom
  • jesus1
  • london
  • computer
  • microsoft
  • muffin
  • qwert
  • mother
  • master
  • qazwsx
  • samuel
  • canada
  • slayer
  • rachel
  • onelove
  • qwerty
  • prayer
  • iloveyou1
  • whatever
  • god
  • password
  • blessing
  • snoopy
  • 1q2w3e4r
  • cookie
  • chelsea
  • pokemon
  • hahaha
  • aaaaaa
  • h

    Variants

    Variants information
    Virus Name Type Subtype Differences
    Spy-Agent.bw Virus Password Stealer
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95