Malware

PWS:Win32/Zbot.AGA removal guide

Malware Removal

The PWS:Win32/Zbot.AGA is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What PWS:Win32/Zbot.AGA virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Reads data out of its own binary image
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Queries information on disks, possibly for anti-virtualization
  • Uses IOCTL_SCSI_PASS_THROUGH control codes to manipulate drive/MBR which may be indicative of a bootkit
  • Attempted to write directly to a physical drive
  • Anomalous binary characteristics

Related domains:

wpad.local-net

How to determine PWS:Win32/Zbot.AGA?



File Info:

name: 99ADFA5EA674094D26B7.mlw
path: /opt/CAPEv2/storage/binaries/22e04d4548c815f99a596ed83ccac35896e44531f59c0fbd424e525d1583bbc9
crc32: 2B57C1B5
md5: 99adfa5ea674094d26b7996b928da6fe
sha1: 03faae2c457ff7de6b2fbcc49a89f255fd07b38c
sha256: 22e04d4548c815f99a596ed83ccac35896e44531f59c0fbd424e525d1583bbc9
sha512: 89c02f29a34920547f1d1540644536e6ac9d4f9c4f1240bda06ade9c8195c6db3227ea56a26b17dc3365af21d21c582a7f1f9c83779bc6240d424c0bf9110b3d
ssdeep: 6144:MLNQWaNcX61zdwfblEdJyM7wiPuIWFOwPVRmdg7qtk/Eaje1fn+aCyIK3ccnMxjl:NVcKWlEdNGlFOwPV3sa+fW1K3DnsoD6
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1BA841280ABFA1368F5F39BF02DB03795A535BDB44A329B1E1250190E1C325A9CF46F76
sha3_384: 5fc6891076c198566c8a41d530654dbe219dfbfc75e9dee5bc23a7decfa2813b5cd686a28fabe6f41780a7159386e79d
ep_bytes: 6801605900e801000000c3c38398fe08
timestamp: 1988-08-15 10:43:04


Version Info:

LegalCopyright: © Stefan Fleischmann, X-Ways Software Technology AG 1995-2010
FileDescription: WinHex
CompanyName: X-Ways Software Technology AG
FileVersion: 15.7
InternalName: WINHEX
OriginalFilename: WINHEX.EXE
ProductName: WinHex
ProductVersion: 15.7
Translation: 0x0409 0x04e4

PWS:Win32/Zbot.AGA also known as:

BkavW32.AIDetect.malware1
LionicTrojan.Win32.Generic.4!c
MicroWorld-eScanGen:Variant.Zusy.15093
FireEyeGeneric.mg.99adfa5ea674094d
ALYacGen:Variant.Zusy.15093
CylanceUnsafe
ZillyaTrojan.Agent.Win32.258331
AlibabaTrojanPSW:Win32/BScope.76d45136
Cybereasonmalicious.ea6740
CyrenW32/Zbot.FY.gen!Eldorado
SymantecML.Attribute.HighConfidence
ESET-NOD32Win32/Spy.Zbot.AAQ
APEXMalicious
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderGen:Variant.Zusy.15093
NANO-AntivirusTrojan.Win32.Agent.wgzex
SUPERAntiSpywareTrojan.Agent/Gen-Kryptik
AvastWin32:Downloader-PSK [Trj]
TencentWin32.Trojan.Agent.Hvtd
Ad-AwareGen:Variant.Zusy.15093
SophosML/PE-A + Troj/Zbot-CHR
ComodoPacked.Win32.MNSP.Gen@2697wr
DrWebTrojan.Siggen4.18982
VIPRETrojan.Win32.Generic!BT
TrendMicroTSPY_ZBOT.FL
McAfee-GW-EditionPWS-Zbot.gen.akh
EmsisoftGen:Variant.Zusy.15093 (B)
SentinelOneStatic AI – Malicious PE
GDataGen:Variant.Zusy.15093
JiangminTrojanSpy.Zbot.bwwn
WebrootW32.Trojan.Gen
AviraTR/Crypt.ASPM.Gen
Antiy-AVLTrojan/Generic.ASMalwS.20E993
KingsoftWin32.Troj.Agent.(kcloud)
ArcabitTrojan.Zusy.D3AF5
ViRobotTrojan.Win32.A.Agent.380928.K
MicrosoftPWS:Win32/Zbot.AGA
CynetMalicious (score: 100)
McAfeePWS-Zbot.gen.akh
MAXmalware (ai score=100)
VBA32BScope.Trojan.Zbot.9812
TrendMicro-HouseCallTSPY_ZBOT.FL
YandexTrojan.GenAsa!qlUCKk5d+cE
IkarusTrojan.Crypt
FortinetW32/Generic.AC.1AA4BA!tr
BitDefenderThetaGen:NN.ZexaF.34294.xC0aa0c!WJp
AVGWin32:Downloader-PSK [Trj]
PandaGeneric Malware
MaxSecureTrojan.Malware.300983.susgen

How to remove PWS:Win32/Zbot.AGA?

PWS:Win32/Zbot.AGA removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment