Trojan-Spy.Win32.Zbot.ajhf

Bookmark and Share

1. What is the Trojan-Spy.Win32.Zbot.ajhf

Trojan-Spy.Win32.Zbot.ajhf is a cunning computer infection with sufficient malicious potential to challenge your personal data confidentiality and, consequently, your privacy as such. Trojan-Spy.Win32.Zbot.ajhf is very good at using rootkit techniques applicable to infiltrate one’s computer system stealthily. When Trojan-Spy.Win32.Zbot.ajhf is on board, do not expect it to expose itself because it stays resident on the background while persistently doing its dirty job. The worst thing Trojan-Spy.Win32.Zbot.ajhf calls forth is collecting user-identifying information and sending it to remote hacking analytic center. For this purpose, Trojan-Spy.Win32.Zbot.ajhf locates backdoors favourable for establishing imperceptible connection with an external node. Therefore, your financial details, your credentials (passwords, login data) will turn out jeopardized by Trojan-Spy.Win32.Zbot.ajhf malware. It should be additionally mentioned that Trojan-Spy.Win32.Zbot.ajhf affects the system’s resisting capabilities in terms of handling the infections permanently trying to break inside to compromise the system integrity. Please, remove Trojan-Spy.Win32.Zbot.ajhf threat if your PC happens to get exposed to its stealthy attack.

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 [file and pathname of the sample #1]
%System%\sdra64.exe		 118,784 bytes
  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b. Attention! The following hidden files were created in the system:

No. Filename Size
1 %System%\lowsec\local.ds 0 bytes
2 %System%\lowsec\user.ds 332 bytes
3 %System%\lowsec\user.ds.lll 315 bytes

c. Attention! The following hidden directory was created:

  • %System%\lowsec

d. Memory Modifications

  • There were new memory pages created in the address space of the system process(es):

Process Name Process Filename Allocated Size
services.exe %System%\services.exe 155,648 bytes
lsass.exe %System%\lsass.exe 155,648 bytes
svchost.exe %System%\svchost.exe 155,648 bytes
alg.exe %System%\alg.exe 155,648 bytes

e. Registry Modifications

    • The following Registry Keys were created:
      • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}
      • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
      • HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
        • UID = "%ComputerName%_B4DF7611BB99FF8A"
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
        • {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
        • {33373039-3132-3864-6B30-303233343434} = F7 09 F2 0D
        • {6E633338-267E-2A79-6830-386668666866} = F7 09 F2 0D
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
        • {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
        • {33373039-3132-3864-6B30-303233343434} = F7 09 F2 0D
        • {6E633338-267E-2A79-6830-386668666866} = F7 09 F2 0D
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
        • ProxyEnable = 0x00000000
    • The following Registry Values were modified:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
        • Userinit =
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
        • Cookies =
        • History =

    e. Other details

    • The data identified by the following URLs was then requested from the remote web server:
      • http://www.oomseekerss.ru/img/konf.bin
      • http://myip.ru

     

    3. How-to's

    a. How to prevent the  Trojan-Spy.Win32.Zbot.ajhf ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Spy.Win32.Zbot.ajhf   Manually?

    Step 1 : Remove Trojan-Spy.Win32.Zbot.ajhf  files and folders
    %System%\sdra64.exe
    %System%\lowsec\local.ds
    %System%\lowsec\user.ds
    %System%\lowsec\user.ds.lll
    %System%\lowsec
    Step 2 : Remove the following Trojan-Spy.Win32.Zbot.ajhf  registry keys
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
    UID = "%ComputerName%_B4DF7611BB99FF8A"
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
    {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
    {33373039-3132-3864-6B30-303233343434} = F7 09 F2 0D
    {6E633338-267E-2A79-6830-386668666866} = F7 09 F2 0D
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
    {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
    {33373039-3132-3864-6B30-303233343434} = F7 09 F2 0D
    {6E633338-267E-2A79-6830-386668666866} = F7 09 F2 0D
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    ProxyEnable = 0x00000000

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•