Malware

PWS:Win32/Zbot.AIG removal instruction

Malware Removal

The PWS:Win32/Zbot.AIG is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What PWS:Win32/Zbot.AIG virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Created a process from a suspicious location
  • Anomalous binary characteristics

How to determine PWS:Win32/Zbot.AIG?



File Info:

name: 8B4A4191B8B735E64641.mlw
path: /opt/CAPEv2/storage/binaries/ed33d047d45e4b792bf6dcf52c4bbb53619cf5e7195128540245ac28e767580a
crc32: 98A9F1CC
md5: 8b4a4191b8b735e6464199963e38d540
sha1: ea15b4b24a07c2aa71588cb5446ec238d9e0a3ea
sha256: ed33d047d45e4b792bf6dcf52c4bbb53619cf5e7195128540245ac28e767580a
sha512: 61965117efcc5c363d1bfbdef7816bfda3b07d7ea065aebfcfb99ac77d19f614cb3ea1153346942c3f418bc92f8c4d53267966a4787d693ff4260837e685bd30
ssdeep: 24576:RRmJkcoQricOIQxiZY1iaIH4SFsF7iRjWv:eJZoQrbTFZY1iaIYSFIiVWv
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1A625C022F6929077C1A367715E7AF66A9F387D36122AC19B33C43E251EB01412F25B37
sha3_384: 6572ca8a7cb10170c6b5524a1260a4b35e6e17982db2e4a7d3335c3f725b59d0d80bb80850f2fb75c9ca2f0d194fa799
ep_bytes: e816900000e989feffffcccccccccc55
timestamp: 2012-01-29 21:32:28


Version Info:

CompanyName: Microsoft Corporation
FileDescription: 
FileVersion: 3, 3, 8, 1
InternalName: DVDMaker
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: DVDMaker
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7600.16385
Translation: 0x0809 0x04b0
CompiledScript: AutoIt v3 Script: 3, 3, 8, 1

PWS:Win32/Zbot.AIG also known as:

LionicTrojan.Win32.Autoit.m6p8
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Trojan.Heur.AutoIT.2
FireEyeGeneric.mg.8b4a4191b8b735e6
ALYacGen:Trojan.Heur.AutoIT.2
CylanceUnsafe
K7AntiVirusTrojan ( 700000111 )
AlibabaTrojanSpy:Win32/Injector.2e4fa8e6
K7GWTrojan ( 700000111 )
Cybereasonmalicious.1b8b73
SymantecTrojan.Gen.MBT
ESET-NOD32Win32/Spy.Zbot.YW
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Malware.Autoit-6989569-0
KasperskyTrojan-Spy.Win32.Zbot.kiyd
BitDefenderGen:Trojan.Heur.AutoIT.2
NANO-AntivirusTrojan.Win32.AutoIt.ebmpre
AvastAutoIt:Injector-EC [Trj]
TencentWin32.Trojan-spy.Zbot.Ebha
Ad-AwareGen:Trojan.Heur.AutoIT.2
EmsisoftGen:Trojan.Heur.AutoIT.2 (B)
ComodoMalware@#2xlykouj8fbiq
VIPRETrojan.Win32.Generic!BT
TrendMicroTROJ_SPNR.30HR13
McAfee-GW-EditionBehavesLike.Win32.ZBot.fh
SophosMal/Generic-R + Troj/Zbot-EPG
IkarusTrojan-Spy.Zbot
GDataGen:Trojan.Heur.AutoIT.2
WebrootW32.Infostealer.Zeus
AviraDR/AutoIt.Gen
MAXmalware (ai score=100)
ArcabitTrojan.Heur.AutoIT.2
MicrosoftPWS:Win32/Zbot.AIG
CynetMalicious (score: 99)
AhnLab-V3Spyware/Win32.Zbot.R73637
McAfeeArtemis!8B4A4191B8B7
VBA32TrojanSpy.Zbot
MalwarebytesMalware.AI.3917739178
TrendMicro-HouseCallTROJ_SPNR.30HR13
RisingSpyware.Zbot!8.16B (CLOUD)
SentinelOneStatic AI – Malicious PE
MaxSecureTrojan.Autoit.AZA
FortinetW32/Zbot.EPG!tr
BitDefenderThetaAI:Packer.D7D05DD419
AVGAutoIt:Injector-EC [Trj]
CrowdStrikewin/malicious_confidence_70% (D)

How to remove PWS:Win32/Zbot.AIG?

PWS:Win32/Zbot.AIG removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment