Virus Profile: PWS-ZBot.gen.asf

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/5/2012
Date Added: 12/5/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Generic
DAT Required: 6834
Removal Instructions


This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


  • Drweb        -    Trojan.PWS.Panda.2401
  • Fortinet    -    W32/Kryptik.WDV!tr
  • Trend        -    TROJ_KRYPTK.SMU7

Indication of Infection

Presence of above mentioned activities

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Virus Characteristics

PWS-ZBot.gen.asf ” is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker.

“PWS-ZBot.gen.asf ”copy itself to %appdata%  with random six letter characters. Once it copied then the Trojan tries to delete itself from the current location by dropping a bat file with the following code.

  • del "%s"
  • if exist "%s" goto d
  • @echo off
  • del /F "%s"
 “PWS-ZBot.gen.asf ” steals information from stored passwords, cache and cookies of the following browsers:

  • Chrome
  • Firefox
  • Internet Explorer
It also monitors their behavior.

“PWS-ZBot.gen.asf ” is also checks for installed anti-virus or any security related software’s which has been installed in the system, by querying the following registries

If it’s found then it shuts down the process to avoid detection.

Once compromised, then it tries to join a botnet with a botname and post/get information to remote site. In our test using the current sample, it failed to connect to any remote site.

The Trojan also downloads other PWS variants to the compromised machine.

Upon Execution, the Trojan drops file into the following location:
  • %Temp%\abcd.bat
The following is the information collected from the infected machine and sent to the remote attacker through remote port 80:
  • GetLocaleInfoA
  • GetUserNameA
  • gethostbyname
  • GetNativeSystemInfo
  • GetSystemInfo
The Trojan steals stored passwords, cache and cookies from the following applications.

  • Firefox
  • Internet Explorer
  • Google Chrome
The Trojan checks for the following products which are installed in the compromised machine:

  • SafenSoft
  • SysWatch
  • McAfee
  • McAfee
  • Security Center
  • McAfee
  • SecurityCenter
  • Symantec
  • Client
  • Symantec
  • Protection
  • Symantec
  • Shared
  • Symantec
  • Security
  • Norton
  • Protection
  • Kaspersky
  • Security
  • Kaspersky
  • Anti-Virus
  • avast!
  • Antivirus
  • AntiVir
  • Desktop
  • AVG
  • Monitor
  • AVG
  • Service
  • AVG
  • Security
  • ESET
  • Security
  • ESET
  • Antivirus
  • Microsoft
  • Inspection
  • Microsoft
  • Malware
  • Microsoft
  • Security
The Trojan uses the following commands to collect system information from the infected machine and send it to the remote attacker
  • GetComputerNameW
  • GetUserDefaultUILanguage
  • GetNativeSystemInfo
  • GetKeyboardLayoutList
  • GetUserNameExW
The Trojan creates Mutex using the following commands

  • ReleaseMutex
  • CreateMutexW
  • OpenMutexW
The following strings confirm that the Trojan tries to connect internet:

  • HttpQueryInfoA
  • InternetConnectA
  • InternetSetStatusCallbackA
  • InternetCrackUrlA
  • HttpAddRequestHeadersW
  • HttpOpenRequestA
  • HttpAddRequestHeadersA
  • InternetOpenA
  • InternetCloseHandle
  • HttpSendRequestExA
  • HttpSendRequestExW
  • InternetQueryDataAvailable
  • InternetReadFileExA
  • InternetReadFile
  • HttpSendRequestW
  • GetUrlCacheEntryInfoW
  • InternetSetStatusCallbackW
  • HttpOpenRequestW
  • InternetGetCookieA
  • InternetSetFilePointer
  • HttpEndRequestA
  • HttpSendRequestA
  • HttpEndRequestW
  • InternetQueryOptionA
  • InternetQueryOptionW
  • InternetSetOptionA

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!