Malware

PWS:Win32/Zbot.ALF information

Malware Removal

The PWS:Win32/Zbot.ALF is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What PWS:Win32/Zbot.ALF virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • At least one process apparently crashed during execution
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Code injection with CreateRemoteThread in a remote process
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • Collects and encrypts information about the computer likely to send to C2 server
  • Collects information to fingerprint the system

How to determine PWS:Win32/Zbot.ALF?



File Info:

name: 5C51790536BDD5AFC065.mlw
path: /opt/CAPEv2/storage/binaries/cf0aaeab10f0b6cdc0aa636ee084e6eab85cdc4523946bd6417a69d5c7608b50
crc32: 5E06B060
md5: 5c51790536bdd5afc065fd524218feec
sha1: 968d726fced4c3af8e72e96206d80c0dee899209
sha256: cf0aaeab10f0b6cdc0aa636ee084e6eab85cdc4523946bd6417a69d5c7608b50
sha512: 56d86fc4d4883aeff16139b0e1ccca9aeac1b6ca1429cfa939fa93576ef93da59c8bcc430f40343302752fe525201cf5e68f02720f3a91fa6b958c030f1a3e04
ssdeep: 6144:3YrEzmUrq/1LkT5v1qefsyF6738YfoNk8p21nuS336zJbBakA9:3Nrqpy59kYnYuenuiqd1h4
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T13544236FB6DF8A79C9A1C63524622D1DBBE9E91358683B371F463E4C6C71026CD03278
sha3_384: 1d47a2ea0fbb370e2f59efd7c0a7005e94b5d898d48a8c7024390988320fe78d47da9e5d96c952283cce5471cb61d0bd
ep_bytes: b86f264000e8c515000081ecc4000000
timestamp: 2014-02-22 17:21:21


Version Info:

Comments: 
CompanyName:  
FileDescription: MyFtp
FileVersion: 1, 0, 0, 1
InternalName: MyFtp
LegalCopyright: Copyright ? 2014
LegalTrademarks: 
OriginalFilename: MyFtp.exe
PrivateBuild: 
ProductName:   MyFtp
ProductVersion: 1, 0, 0, 1
SpecialBuild: 
Translation: 0x0408 0x04b0

PWS:Win32/Zbot.ALF also known as:

BkavW32.AIDetect.malware1
LionicTrojan.Win32.Zbot.l!c
tehtrisGeneric.Malware
DrWebTrojan.Winlock.8004
MicroWorld-eScanGen:Trojan.Zboter.2
FireEyeGeneric.mg.5c51790536bdd5af
CAT-QuickHealTrojanPWS.Zbot.A4
CylanceUnsafe
SangforTrojan.Win32.Generic.8
K7AntiVirusTrojan ( 0055e3f51 )
K7GWTrojan ( 0055e3f51 )
Cybereasonmalicious.536bdd
ArcabitTrojan.Zboter.2
BitDefenderThetaGen:NN.ZexaF.34606.pq3@ayDP1npb
VirITTrojan.Win32.Generic.AECV
SymantecML.Attribute.HighConfidence
Elasticmalicious (high confidence)
ESET-NOD32a variant of Win32/Injector.AYUU
TrendMicro-HouseCallTROJ_SPNR.35CD14
ClamAVWin.Trojan.Agent-1127398
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderGen:Trojan.Zboter.2
NANO-AntivirusTrojan.Win32.Inject.cwdpwb
SUPERAntiSpywareTrojan.Agent/Gen-Zusy
AvastWin32:Crypt-QQY [Trj]
TencentMalware.Win32.Gencirc.114c3f7f
Ad-AwareGen:Trojan.Zboter.2
SophosML/PE-A + Mal/Zbot-SX
ComodoTrojWare.Win32.Injector.AYTP@587bwp
ZillyaTrojan.Zbot.Win32.149726
TrendMicroTROJ_SPNR.35CD14
McAfee-GW-EditionDownloader-FYH!5C51790536BD
SentinelOneStatic AI – Suspicious PE
EmsisoftGen:Trojan.Zboter.2 (B)
IkarusTrojan-Downloader.Win32.Carberp
JiangminTrojanSpy.Zbot.eciy
WebrootTrojan.Dropper.Gen
AviraHEUR/AGEN.1230560
Antiy-AVLTrojan/Generic.ASMalwS.89013C
KingsoftWin32.Troj.Zbot.rq.(kcloud)
MicrosoftPWS:Win32/Zbot.ALF
GDataGen:Trojan.Zboter.2
CynetMalicious (score: 100)
AhnLab-V3Backdoor/Win32.Androm.R99103
McAfeeDownloader-FYH!5C51790536BD
TACHYONTrojan-Spy/W32.ZBot.261480
VBA32TrojanSpy.Zbot
MalwarebytesSpyware.Zbot
APEXMalicious
RisingSpyware.Zbot!8.16B (RDMK:cmRtazrH8KdqAb8Uh1/ylII54643)
MAXmalware (ai score=82)
FortinetW32/Kryptik.WIF!tr
AVGWin32:Crypt-QQY [Trj]
PandaTrj/CI.A
CrowdStrikewin/malicious_confidence_100% (W)

How to remove PWS:Win32/Zbot.ALF?

PWS:Win32/Zbot.ALF removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment