Malware

About “PWS:Win32/Zbot.TQ” infection

Malware Removal

The PWS:Win32/Zbot.TQ is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What PWS:Win32/Zbot.TQ virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Unconventionial language used in binary resources: Russian
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Authenticode signature is invalid

How to determine PWS:Win32/Zbot.TQ?



File Info:

name: 127804D7E2E4E277F789.mlw
path: /opt/CAPEv2/storage/binaries/6026a13977915c0f64e8843756c2492e225f4a9ffcef2eeee85139b6a5d8dca0
crc32: F88BD89F
md5: 127804d7e2e4e277f789c4d187f22687
sha1: eb06e2258065a4cd4a408190f25bc9714caa945b
sha256: 6026a13977915c0f64e8843756c2492e225f4a9ffcef2eeee85139b6a5d8dca0
sha512: 50d167b889fd56b0275b3f5b40dfef822c6073b945b005ea04a98170e781a5c6415cb09a8eeb21f1a00596bfaad1ebcc5bdd9df5bb695cacaf5106d020f1cb64
ssdeep: 3072:DeFJI9rIX/XftYUSCKSm/N41M2zDxj5fvl3Tp2JYRlapbqj/WRm9m:DmIBW/XfWvpSgWW2zDxFfvl3vvap3Rm9
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1C7F312413CC67516D2F6EB7AC18745901E319ECA0E6B7664FD0437AB0B23E64F91BB21
sha3_384: 159913fc939d00ed3512696195051df79e5e218bda4f8e63bc6e3559ff8f789f7a3e24ac5bdb7101451dbf2cc2df2e62
ep_bytes: 60be004041008dbe00d0feff57eb0b90
timestamp: 2008-09-19 12:13:47


Version Info:

Comments: 
CompanyName: Avira GmbH
FileDescription: Antivirus Control Center
FileVersion: 8.00.70.08
InternalName: Control Center
LegalCopyright: Copyright © 2008 Avira GmbH. All rights reserved.
LegalTrademarks: AntiVir® is a registered trademark of Avira GmbH, Germany.
OriginalFilename: avcenter.exe
PrivateBuild: 
ProductName: AntiVir Workstation
ProductVersion: 8.00.70.08
SpecialBuild: 
Translation: 0x0800 0x04b0

PWS:Win32/Zbot.TQ also known as:

BkavW32.AIDetect.malware1
LionicTrojan.Win32.SpyEyes.l!c
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Variant.Bredo.22
FireEyeGeneric.mg.127804d7e2e4e277
CAT-QuickHealTrojanBNK.Zbot.mue
ALYacGen:Variant.Bredo.22
CylanceUnsafe
ZillyaTrojan.FakeAV.Win32.41677
SangforTrojan.Win32.SpyEyes.evn
K7AntiVirusTrojan ( 004af95c1 )
AlibabaTrojanSpy:Win32/SpyEyes.4537a63c
K7GWTrojan ( 004af95c1 )
Cybereasonmalicious.7e2e4e
VirITTrojan.Win32.Generic.AOQE
CyrenW32/S-5f8a72a3!Eldorado
SymantecTrojan.Spyeye
ESET-NOD32a variant of Win32/Kryptik.JAV
APEXMalicious
ClamAVWin.Packed.Zbot-9872123-0
KasperskyTrojan-Spy.Win32.SpyEyes.evn
BitDefenderGen:Variant.Bredo.22
NANO-AntivirusTrojan.Win32.ZBot.cpfyc
AvastWin32:Trojan-gen
TencentMalware.Win32.Gencirc.114de46e
Ad-AwareGen:Variant.Bredo.22
SophosMal/Generic-R + Mal/FakeAV-BW
ComodoTrojWare.Win32.TrojanSpy.Zbot.G@2tckk5
F-SecureTrojan.TR/Crypt.EPACK.Gen2
DrWebTrojan.PWS.Panda.387
VIPREVirTool.Win32.Obfuscator.da!j (v)
TrendMicroTROJ_SPYEYE.SMEP
McAfee-GW-EditionPWS-Spyeye.fa
EmsisoftGen:Variant.Bredo.22 (B)
IkarusTrojan.Win32.Spyeye
GDataGen:Variant.Bredo.22
JiangminTrojanSpy.SpyEyes.osx
AviraTR/Crypt.EPACK.Gen2
MAXmalware (ai score=100)
Antiy-AVLTrojan[Spy]/Win32.SpyEyes
ArcabitTrojan.Bredo.22
ViRobotTrojan.Win32.A.SpyEyes.162816.E[UPX]
ZoneAlarmTrojan-Spy.Win32.SpyEyes.evn
MicrosoftPWS:Win32/Zbot.TQ
CynetMalicious (score: 100)
AhnLab-V3Spyware/Win32.Zbot.R2551
McAfeeArtemis!127804D7E2E4
VBA32Trojan.Zeus.EA.0999
MalwarebytesMalware.Heuristic.1003
TrendMicro-HouseCallTROJ_SPYEYE.SMEP
RisingSpyware.SpyEyes!8.4AA (CLOUD)
YandexTrojan.Kryptik!OWv7CCyj1CY
SentinelOneStatic AI – Malicious PE
eGambitGeneric.Malware
FortinetW32/Kryptic!tr
BitDefenderThetaGen:NN.ZexaF.34212.jmKfaOcBCDhc
AVGWin32:Trojan-gen
PandaTrj/Genetic.gen
CrowdStrikewin/malicious_confidence_90% (W)

How to remove PWS:Win32/Zbot.TQ?

PWS:Win32/Zbot.TQ removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment