For Consumer

Virus Profile: pws-zbot-faqd

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/6/2013
Date Added: 5/6/2013
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 7063
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases –

  • Kaspersky           -    Trojan-Ransom.Win32.PornoAsset.cexr
  • Avast                     -    Win32:Ransom-AHK [Trj]
  • ESET-NOD32      -    a variant of Win32/Injector.AFOH
  • Microsoft               -    TrojanDownloader:Win32/Obvod.M

Indication of Infection

Presence of above mentioned activities, files and registry.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
   

Virus Characteristics



-----------------------------------Updated 19th March 2014--------------------------------

Aliases :

  • Microsoft     -    Worm:Win32/Gamarue.I
  • AVG              -    Zbot.FFC   
  • Nod32         -    Win32/TrojanDownloader.Wauchos.Z
  • ikarus          -    Trojan.Inject

Characteristics –

PWS-Zbot-FAQD” is detection for this Trojan that receives commands from an attacker that to access the infect machine and to downloads other malicious files. The Trojan creates a firewall rule in order to bypass the normal and it may allow the remote attacker to issue commands to control the compromised machines without user knowledge. It also listen to an open port no 8000.

Upon execution the Trojans copy itself to the below location

  • %User Profile%\All Users\explorer.exe

The following registry values has been added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start WingMan Profiler: "%User Profile%\All Users\explorer.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%User Profile%\Administrator\Desktop\msucika.exe: "%User Profile%\Administrator\Desktop\msucika.exe:*:Enabled:msucika"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%User Profile%\Administrator\Desktop\msucika.exe: "%User Profile%\Administrator\Desktop\msucika.exe:*:Enabled:msucika"
  • The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot

------------------------------------------------------------------------------------------------------


-----------------------------------Updated 10th May 2013--------------------------------

Aliases


  • Microsoft   -    TrojanDownloader:Win32/Obvod.M
  • Norman    -    Gamarue.AUY
  • Fortinet     -    W32/Jorik.CTPG!tr
  • Ikarus        -    Trojan-Downloader.Win32.Karagany
Characteristics

PWS-Zbot-FAQD” create many task and executes them for every one hour and 7 days. It also lowers the internet settings and disables all protection warning message.

"PWS-Zbot-FAQD" checks for installed Antivirus related process in order to avoid detection.

 "PWS-Zbot-FAQD" injects Iframe and script tag into current session, resulting in several Internet Explorer sessions opening to websites that  contain advertisements.

The below is the Iframe and script tag that the Trojan tries to inject.

{IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH="%d" HEIGHT="%d" SRC="%s" tagged=YES}{/IFRAME}
{script language="javascript" src="%s"}{/script}

Upon execution the Trojan injects code into explorer.exe and tries to connect to the   following IPs through the port 53.
  • 94.228.[Removed].132:domain
  • 98.191. [Removed].17:domain
  • 400.be853513d6dbafa011646f2d[Removed]5838d063.ofi.method.in
  • 2.0.0.400.2424000961.35[Removed]3.0.4160.be853513d6dbafa011646f2dd838f5bd4d486c93025838d063.method.in
  • 0.32206.pf.de[Removed]rante.com
  • .
  • .
  • .
  • 400.32206.pf.d[Removed]erante.com
Upon Execution, the Trojan copies itself into the system and drops file into the following location:

  • %ALLUSERPROFILE%\Application Data\330o7A35.exe
  • %ALLUSERPROFILE%\Application Data\330o7A35.exe.b
  • %ALLUSERPROFILE%\Application Data\330o7A35.exe_.b
  • %ALLUSERPROFILE%\Application Data\rtt0Xxa53.dat
  • %WINDIR%\Tasks\At1.job
  • %WINDIR%\Tasks\At10.job
  • %WINDIR%\Tasks\At11.job
  • %WINDIR%\Tasks\At12.job
  • %WINDIR%\Tasks\At13.job
  • %WINDIR%\Tasks\At14.job
  • %WINDIR%\Tasks\At15.job
  • %WINDIR%\Tasks\At16.job
  • %WINDIR%\Tasks\At17.job
  • %WINDIR%\Tasks\At18.job
  • %WINDIR%\Tasks\At19.job
  • %WINDIR%\Tasks\At2.job
  • %WINDIR%\Tasks\At20.job
  • %WINDIR%\Tasks\At21.job
  • %WINDIR%\Tasks\At22.job
  • %WINDIR%\Tasks\At23.job
  • %WINDIR%\Tasks\At24.job
  • %WINDIR%\Tasks\At25.job
  • %WINDIR%\Tasks\At26.job
  • %WINDIR%\Tasks\At27.job
  • %WINDIR%\Tasks\At28.job
  • %WINDIR%\Tasks\At29.job
  • %WINDIR%\Tasks\At3.job
  • %WINDIR%\Tasks\At30.job
  • %WINDIR%\Tasks\At31.job
  • %WINDIR%\Tasks\At32.job
  • %WINDIR%\Tasks\At33.job
  • %WINDIR%\Tasks\At34.job
  • %WINDIR%\Tasks\At35.job
  • %WINDIR%\Tasks\At36.job
  • %WINDIR%\Tasks\At37.job
  • %WINDIR%\Tasks\At38.job
  • %WINDIR%\Tasks\At39.job
  • %WINDIR%\Tasks\At4.job
  • %WINDIR%\Tasks\At40.job
  • %WINDIR%\Tasks\At41.job
  • %WINDIR%\Tasks\At42.job
  • %WINDIR%\Tasks\At43.job
  • %WINDIR%\Tasks\At44.job
  • %WINDIR%\Tasks\At45.job
  • %WINDIR%\Tasks\At46.job
  • %WINDIR%\Tasks\At47.job
  • %WINDIR%\Tasks\At48.job
  • %WINDIR%\Tasks\At5.job
  • %WINDIR%\Tasks\At6.job
  • %WINDIR%\Tasks\At7.job
  • %WINDIR%\Tasks\At8.job
  • %WINDIR%\Tasks\At9.job
The above .job files confirm that the Trojan get executes itself upon every one hour and all 7 days.

The following registry key values have been added to the system.

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0
The above registry key value confirms that the Trojan disables the proxy settings.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\LA: 0x00000190
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours: 0x00000048
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours: 0x00000048
The above registry key value confirms that the Trojan create task and sets the Max hour for running the task.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE: "yes"
The above registry key value confirms that the Trojan disables the Script debugger for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error: "no"
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner: 0x00000001
The above registry key value confirms that the Trojan disables the Protected Mode Banner message for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing: 0x00000000
The above registry key value confirms that the Trojan disables the Zone crossing warning message for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000003.
The above registry key value confirms that the Trojan lowers the Internet Explorer zone security settings in order to run the ActiveX control without user knowledge.

The Trojan uses the below commands in order to collect the system information.
  • GetComputerNameA
  • GetSystemInfo
  • GetUserNameA
The Trojan may checks for below installed Antivirus related process in order to avoid detection.
  • scftray
  • scfservice
  • scfmanager
  • savser
  • savadmins
  • alsvc
  • almon
  • npfmsg2
  • zlh
  • zanda
  • cclaw
  • npfsvice
  • njeeves
  • nipsvc
  • nip
  • nvcsched
  • nvcoas
  • spidernt
  • spiderui
  • drweb
  • pxcons
  • pxagent
  • guardxkickoff
  • vba32ldr
  • nod32kui
  • nod32krn
  • vsserv
  • livesrv
  • bdmcon
  • bdagent
  • xcommsvr
  • PXConsole
  • PXAgent
  • kpf4ss
  • kpf4gui
  • sunthreate
  • sunserv
  • sunprotect
  • counter
  • clamwin
  • clamtray
  • avgnt
  • avguard
  • avesvc
  • avcenter
  • ashwebsv
  • ashdisp
  • ashmaisv
  • ashserv
  • msascui
  • fsguidll
  • fsaw
  • fspex
  • fsm32
  • tsanti
  • kavpf
  • kav
  • dpasnt
  • msfw
  • msmps
  • mpeng
  • msco
  • winssno
  • symlcsvc
  • spbbcsvc
  • sndsrvc
  • nscsrvce
  • navapsvc
  • ccsetmgr
  • ccproxy
  • ccetvm
  • ccapp
  • alusched
  • oascl
  • msksr
  • mskage
  • mscif
  • mpft
  • mpfser
  • mpfag
  • mcvss
  • mcvs
  • mcupd
  • mcupdm
  • mctsk
  • mcshi
  • mcdet
  • mcage
  • zlcli
  • vsmon
  • webroot
  • spysw
  • firewalln
  • vrmo
  • vrfw
  • hsock
  • wmiprv
  • mxtask
  • swdoct
  • sdhe
  • vir.exe
  • webproxy
  • pavfnsvr
  • avengine
  • avciman
  • apvxdwin
  • avp
  • cavtray
  • cavrid
  • caissdt
  • isafe
-----------------------------------Updated 10th May 2013--------------------------------
Aliases
  • ESET-NOD32        -     Win32/Injector.AFPC
  • Kaspersky        -     Trojan-Ransom.Win32.PornoAsset.cext
  • Microsoft        -     TrojanDownloader:Win32/Obvod.M
  • Sophos            -     Troj/Zbot-EON
Characteristics –

PWS-Zbot-FAQD” create many task and  executes them for every one hour and 7 days. It also lowers the internet settings and disables all protection warning message.

Upon execution the Trojan injects code into explorer.exe and tries to connect to the   following IPs through the port 53.
  • ns1.tr[Removed]her.com
  • pf.de[Removed]nte.com
  • 132.209.[Removed].94
  • 17.251.[Removed].98
Upon Execution, the Trojan drops file into the following location:
  • %ALLUSERPROFILE%\Application Data\B4BSoFlf.exe
  • %ALLUSERPROFILE%\Application Data\B4BSoFlf.exe.b
  • %ALLUSERPROFILE%\Application Data\B4BSoFlf.exe_.b
  • %ALLUSERPROFILE%\Application Data\GF5F2Rie.dat
  • %WINDIR%\Tasks\At1.job
  • %WINDIR%\Tasks\At10.job
  • %WINDIR%\Tasks\At11.job
  • %WINDIR%\Tasks\At12.job
  • %WINDIR%\Tasks\At13.job
  • %WINDIR%\Tasks\At14.job
  • %WINDIR%\Tasks\At15.job
  • %WINDIR%\Tasks\At16.job
  • %WINDIR%\Tasks\At17.job
  • %WINDIR%\Tasks\At18.job
  • %WINDIR%\Tasks\At19.job
  • %WINDIR%\Tasks\At2.job
  • %WINDIR%\Tasks\At20.job
  • %WINDIR%\Tasks\At21.job
  • %WINDIR%\Tasks\At22.job
  • %WINDIR%\Tasks\At23.job
  • %WINDIR%\Tasks\At24.job
  • %WINDIR%\Tasks\At25.job
  • %WINDIR%\Tasks\At26.job
  • %WINDIR%\Tasks\At27.job
  • %WINDIR%\Tasks\At28.job
  • %WINDIR%\Tasks\At29.job
  • %WINDIR%\Tasks\At3.job
  • %WINDIR%\Tasks\At30.job
  • %WINDIR%\Tasks\At31.job
  • %WINDIR%\Tasks\At32.job
  • %WINDIR%\Tasks\At33.job
  • %WINDIR%\Tasks\At34.job
  • %WINDIR%\Tasks\At35.job
  • %WINDIR%\Tasks\At36.job
  • %WINDIR%\Tasks\At37.job
  • %WINDIR%\Tasks\At38.job
  • %WINDIR%\Tasks\At39.job
  • %WINDIR%\Tasks\At4.job
  • %WINDIR%\Tasks\At40.job
  • %WINDIR%\Tasks\At41.job
  • %WINDIR%\Tasks\At42.job
  • %WINDIR%\Tasks\At43.job
  • %WINDIR%\Tasks\At44.job
  • %WINDIR%\Tasks\At45.job
  • %WINDIR%\Tasks\At46.job
  • %WINDIR%\Tasks\At47.job
  • %WINDIR%\Tasks\At48.job
  • %WINDIR%\Tasks\At5.job
  • %WINDIR%\Tasks\At6.job
  • %WINDIR%\Tasks\At7.job
  • %WINDIR%\Tasks\At8.job
  • %WINDIR%\Tasks\At9.job
The above .job files confirm that the Trojan get executes itself upon every one hour and all 7 days.
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours: 0x00000048
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours: 0x00000048
The above registry key value confirms that the Trojan create task and sets the Max hour for running the task.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE: "yes"
The above registry key value confirms that the Trojan disables the Script debugger for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error: "no"
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner: 0x00000001
The above registry key value confirms that the Trojan disables the Protected Mode Banner message for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing: 0x00000000
The above registry key value confirms that the Trojan disables the Zone crossing warning message for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000003.
The above registry key value confirms that the Trojan lowers the Internet Explorer zone security settings in order to run the ActiveX control without user knowledge.
----------------------------------------------------------------------------------------------------
-----------------------------------Updated 10th May 2013--------------------------------
Aliases
  • ESET-NOD32     -    a variant of Win32/Injector.AFOH
  • Kaspersky        -     Trojan-Ransom.Win32.PornoAsset.cexr
  • Microsoft        -     TrojanDownloader:Win32/Obvod.M
  • Sophos            -     Troj/Zbot-EON
Characteristics –

PWS-Zbot-FAQD” create many task and  executes them for every one hour and 7 days. It also lowers the internet settings and disables all protection warning message.

Upon execution the Trojan injects code into explorer.exe and tries to connect to the   following IPs through the port 53.
  • ns1.tr[Removed]her.com
  • pf.de[Removed]nte.com
  • 132.209.[Removed].94
  • 17.251.[Removed].98
Upon Execution, the Trojan drops file into the following location:
  • %ALLUSERPROFILE%\Application Data\B4BSoFlf.exe
  • %ALLUSERPROFILE%\Application Data\B4BSoFlf.exe.b
  • %ALLUSERPROFILE%\Application Data\B4BSoFlf.exe_.b
  • %ALLUSERPROFILE%\Application Data\GF5F2Rie.dat
  • %WINDIR%\Tasks\At1.job
  • %WINDIR%\Tasks\At10.job
  • %WINDIR%\Tasks\At11.job
  • %WINDIR%\Tasks\At12.job
  • %WINDIR%\Tasks\At13.job
  • %WINDIR%\Tasks\At14.job
  • %WINDIR%\Tasks\At15.job
  • %WINDIR%\Tasks\At16.job
  • %WINDIR%\Tasks\At17.job
  • %WINDIR%\Tasks\At18.job
  • %WINDIR%\Tasks\At19.job
  • %WINDIR%\Tasks\At2.job
  • %WINDIR%\Tasks\At20.job
  • %WINDIR%\Tasks\At21.job
  • %WINDIR%\Tasks\At22.job
  • %WINDIR%\Tasks\At23.job
  • %WINDIR%\Tasks\At24.job
  • %WINDIR%\Tasks\At25.job
  • %WINDIR%\Tasks\At26.job
  • %WINDIR%\Tasks\At27.job
  • %WINDIR%\Tasks\At28.job
  • %WINDIR%\Tasks\At29.job
  • %WINDIR%\Tasks\At3.job
  • %WINDIR%\Tasks\At30.job
  • %WINDIR%\Tasks\At31.job
  • %WINDIR%\Tasks\At32.job
  • %WINDIR%\Tasks\At33.job
  • %WINDIR%\Tasks\At34.job
  • %WINDIR%\Tasks\At35.job
  • %WINDIR%\Tasks\At36.job
  • %WINDIR%\Tasks\At37.job
  • %WINDIR%\Tasks\At38.job
  • %WINDIR%\Tasks\At39.job
  • %WINDIR%\Tasks\At4.job
  • %WINDIR%\Tasks\At40.job
  • %WINDIR%\Tasks\At41.job
  • %WINDIR%\Tasks\At42.job
  • %WINDIR%\Tasks\At43.job
  • %WINDIR%\Tasks\At44.job
  • %WINDIR%\Tasks\At45.job
  • %WINDIR%\Tasks\At46.job
  • %WINDIR%\Tasks\At47.job
  • %WINDIR%\Tasks\At48.job
  • %WINDIR%\Tasks\At5.job
  • %WINDIR%\Tasks\At6.job
  • %WINDIR%\Tasks\At7.job
  • %WINDIR%\Tasks\At8.job
  • %WINDIR%\Tasks\At9.job
The above .job files confirm that the Trojan get executes itself upon every one hour and all 7 days.
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours: 0x00000048
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours: 0x00000048
The above registry key value confirms that the Trojan create task and sets the Max hour for running the task.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE: "yes"
The above registry key value confirms that the Trojan disables the Script debugger for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error: "no"
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner: 0x00000001
The above registry key value confirms that the Trojan disables the Protected Mode Banner message for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing: 0x00000000
The above registry key value confirms that the Trojan disables the Zone crossing warning message for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000003.
The above registry key value confirms that the Trojan lowers the Internet Explorer zone security settings in order to run the ActiveX control without user knowledge.

The Trojan uses the below commands in order to collect the system information.
  • GetComputerNameA
  • GetSystemInfo
  • GetUserNameA
----------------------------------------------------------------------------------------------------
-----------------------------------Updated 10th May 2013--------------------------------
Aliases
  • Microsoft    -    TrojanDownloader:Win32/Obvod.M
  • Norman    -    Gamarue.AUY
  • Fortinet    -    W32/Jorik.CTPG!tr
  • Ikarus        -    Trojan-Downloader.Win32.Karagany
Characteristics –
PWS-Zbot-FAQD” create many task and executes them for every one hour and 7 days. It also lowers the internet settings and disables all protection warning message.

PWS-Zbot-FAQD checks for installed Antivirus related process in order to avoid detection.

PWS-Zbot-FAQD injects Iframe and script tag into current session, resulting in several Internet Explorer sessions opening to websites that contain advertisements.

The below is the Iframe and script tag that the Trojan tries to inject.
{IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH="%d" HEIGHT="%d" SRC="%s" tagged=YES}{/IFRAME}
{script language="javascript" src="%s"}{/script}
Upon execution the Trojan injects code into explorer.exe and tries to connect to the   following IPs through the port 53.
  • 94.228.[Removed].132:domain
  • 98.191. [Removed].17:domain
  • 400.be853513d6dbafa011646f2d[Removed]5838d063.ofi.method.in
  • 2.0.0.400.2424000961.35[Removed]3.0.4160.be853513d6dbafa011646f2dd838f5bd4d486c93025838d063.method.in
  • 0.32206.pf.de[Removed]rante.com
  • 400.32206.pf.d[Removed]erante.com
 Upon Execution, the Trojan copies itself into the system and drops file into the following location:
  • %ALLUSERPROFILE%\Application Data\330o7A35.exe
  • %ALLUSERPROFILE%\Application Data\330o7A35.exe.b
  • %ALLUSERPROFILE%\Application Data\330o7A35.exe_.b
  • %ALLUSERPROFILE%\Application Data\rtt0Xxa53.dat
  • %WINDIR%\Tasks\At1.job
  • %WINDIR%\Tasks\At10.job
  • %WINDIR%\Tasks\At11.job
  • %WINDIR%\Tasks\At12.job
  • %WINDIR%\Tasks\At13.job
  • %WINDIR%\Tasks\At14.job
  • %WINDIR%\Tasks\At15.job
  • %WINDIR%\Tasks\At16.job
  • %WINDIR%\Tasks\At17.job
  • %WINDIR%\Tasks\At18.job
  • %WINDIR%\Tasks\At19.job
  • %WINDIR%\Tasks\At2.job
  • %WINDIR%\Tasks\At20.job
  • %WINDIR%\Tasks\At21.job
  • %WINDIR%\Tasks\At22.job
  • %WINDIR%\Tasks\At23.job
  • %WINDIR%\Tasks\At24.job
  • %WINDIR%\Tasks\At25.job
  • %WINDIR%\Tasks\At26.job
  • %WINDIR%\Tasks\At27.job
  • %WINDIR%\Tasks\At28.job
  • %WINDIR%\Tasks\At29.job
  • %WINDIR%\Tasks\At3.job
  • %WINDIR%\Tasks\At30.job
  • %WINDIR%\Tasks\At31.job
  • %WINDIR%\Tasks\At32.job
  • %WINDIR%\Tasks\At33.job
  • %WINDIR%\Tasks\At34.job
  • %WINDIR%\Tasks\At35.job
  • %WINDIR%\Tasks\At36.job
  • %WINDIR%\Tasks\At37.job
  • %WINDIR%\Tasks\At38.job
  • %WINDIR%\Tasks\At39.job
  • %WINDIR%\Tasks\At4.job
  • %WINDIR%\Tasks\At40.job
  • %WINDIR%\Tasks\At41.job
  • %WINDIR%\Tasks\At42.job
  • %WINDIR%\Tasks\At43.job
  • %WINDIR%\Tasks\At44.job
  • %WINDIR%\Tasks\At45.job
  • %WINDIR%\Tasks\At46.job
  • %WINDIR%\Tasks\At47.job
  • %WINDIR%\Tasks\At48.job
  • %WINDIR%\Tasks\At5.job
  • %WINDIR%\Tasks\At6.job
  • %WINDIR%\Tasks\At7.job
  • %WINDIR%\Tasks\At8.job
  • %WINDIR%\Tasks\At9.job
The above .job files confirm that the Trojan get executes itself upon every one hour and all 7 days.

The following registry key values have been added to the system.
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0
The above registry key value confirms that the Trojan disables the proxy settings.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\LA: 0x00000190
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours: 0x00000048
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours: 0x00000048
The above registry key value confirms that the Trojan create task and sets the Max hour for running the task.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE: "yes"
The above registry key value confirms that the Trojan disables the Script debugger for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error: "no"
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner: 0x00000001
The above registry key value confirms that the Trojan disables the Protected Mode Banner message for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing: 0x00000000
The above registry key value confirms that the Trojan disables the Zone crossing warning message for Internet Explorer.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000003.
The above registry key value confirms that the Trojan lowers the Internet Explorer zone security settings in order to run the ActiveX control without user knowledge.

The Trojan uses the below commands in order to collect the system information.
  • GetComputerNameA
  • GetSystemInfo
  • GetUserNameA
The Trojan may checks for below installed Antivirus related process in order to avoid detection.
  • scftray
  • scfservice
  • scfmanager
  • savser
  • savadmins
  • alsvc
  • almon
  • npfmsg2
  • zlh
  • zanda
  • cclaw
  • npfsvice
  • njeeves
  • nipsvc
  • nip
  • nvcsched
  • nvcoas
  • spidernt
  • spiderui
  • drweb
  • pxcons
  • pxagent
  • guardxkickoff
  • vba32ldr
  • nod32kui
  • nod32krn
  • vsserv
  • livesrv
  • bdmcon
  • bdagent
  • xcommsvr
  • PXConsole
  • PXAgent
  • kpf4ss
  • kpf4gui
  • sunthreate
  • sunserv
  • sunprotect
  • counter
  • clamwin
  • clamtray
  • avgnt
  • avguard
  • avesvc
  • avcenter
  • ashwebsv
  • ashdisp
  • ashmaisv
  • ashserv
  • msascui
  • fsguidll
  • fsaw
  • fspex
  • fsm32
  • tsanti
  • kavpf
  • kav
  • dpasnt
  • msfw
  • msmps
  • mpeng
  • msco
  • winssno
  • symlcsvc
  • spbbcsvc
  • sndsrvc
  • nscsrvce
  • navapsvc
  • ccsetmgr
  • ccproxy
  • ccetvm
  • ccapp
  • alusched
  • oascl
  • msksr
  • mskage
  • mscif
  • mpft
  • mpfser
  • mpfag
  • mcvss
  • mcvs
  • mcupd
  • mcupdm
  • mctsk
  • mcshi
  • mcdet
  • mcage
  • zlcli
  • vsmon
  • webroot
  • spysw
  • firewalln
  • vrmo
  • vrfw
  • hsock
  • wmiprv
  • mxtask
  • swdoct
  • sdhe
  • vir.exe
  • webproxy
  • pavfnsvr
  • avengine
  • avciman
  • apvxdwin
  • avp
  • cavtray
  • cavrid
  • caissdt
  • isafe
----------------------------------------------------------------------------------------------------
 " pws-zbot-faqd!758b50d95e7a" is a Trojan detection that downloads and installs other programs without user knowledge. This could include the installation of additional malware or malware components to an infected machine.

Upon execution the Trojan tries to connect to the following IPs and URLs.

  • 94[Removed]209.132
  • 98[Removed]251.17
  • 68[Removed]185.195
  • 68[Removed]185.222
  • 68[Removed]179.151
  • 84[Removed]37.115
  • 111[Removed]21.80
  • 115[Removed]0.12
  • 115[Removed]0.28
  • 54[Removed]127.128
  • 106[Removed]198.32
  • 84[Removed]192.7
  • 131[Removed]14.107
  • 68[Removed]185.152
  • 68[Removed]179.186
  • 61[Remo
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95