Tag Archive

Tag Archives for " 01detectinfosteal "

Remove W32.Spybot.AVEO

W32.Spybot.AVEO also performs the following payloads:

It will modify Windows Registry and add the following entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Windows Firewall Updater” = “windowsupdate.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\”Windows Firewall Updater” = “windowsupdate.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\”EnableRemoteConnect” = “N”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server\”Enabled” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\”AutoShareWks” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\”AutoShareServer” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\”windowsupdate.exe” = “C:\WINDOWS\system32\windowsupdate.exe:*:Enabled:Windows Firewall Updater”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”AllowUnqualifiedQuery” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”PrioritizeRecordData” = “1”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”TCP1320Opts” = “3”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”KeepAliveTime” = “23280”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”BcastQueryTimeout” = “2EE”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”BcastNameQueryCount” = “1”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”CacheTimeout” = “EA60”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”Size/Small/Medium/Large” = “3”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”LargeBufferSize” = “1000”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”SynAckProtect” = “2”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”PerformRouterDiscovery” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”EnablePMTUBHDetect” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”FastSendDatagramThreshold ” = “400”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”StandardAddressLength ” = “18”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DefaultReceiveWindow ” = “4000”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DefaultSendWindow” = “4000”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”BufferMultiplier” = “200”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”PriorityBoost” = “2”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”IrpStackSize” = “4”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”IgnorePushBitOnReceives” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DisableAddressSharing” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”AllowUserRawAccess” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DisableRawSecurity” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DynamicBacklogGrowthDelta” = “32”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”FastCopyReceiveThreshold” = “400”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”LargeBufferListDepth” = “A”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”MaxActiveTransmitFileCount” = “2”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”MaxFastTransmit” = “40”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”OverheadChargeGranularity” = “1”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”SmallBufferListDepth” = “20”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”SmallerBufferSize” = “80”
  • HKEY_CURRENT_USER\Software\Microsoft\OLE\”Windows Firewall Updater” = “windowsupdate.exe”

The threat will drop the following malicious file:

  • %System%\windowsupdate.exe

Remove Trojan.Zbot

Trojan.Zbot also performs the following payload:

It will modify Windows Registry and add the following entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run\”userinit” = “%System%\sdra64.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run\”userinit” = “%System%\oembios.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run\”userinit” = “%System%\ntos.exe”

Trojan.Zbot threat will drop the following malicious files:

  • %System%\sdra64.exe
  • %System%\oembios.exe
  • %System%\ntos.exe
  • %System%\wsnpoem\audio.dll
  • %System%\wsnpoem\video.dll
  • %System%\sysproc64\sysproc86.sys
  • %System%\sysproc64\sysproc32.sys
  • %System%\lowsec\local.ds

Remove PWS-Zbot.gen.v

When installed on the computer, PWS-Zbot.gen.v will also perform the following:

It will modify Windows Registry and add the following entry:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon] “Userinit” = “C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32\sdra64.exe”

The threat will drop the following malicious files:

  • %SysDir%\lowsec\local.ds
  • %SysDir%\lowsec\user.ds
  • %SysDir%\lowsec\user.ds.lll
  • %SysDir%\sdra64.exe