Zeus Removal Instructions

[Christian Mairoll 237]

 

Zeus is a bad applications that can steal your important information, like online banking accounts. This is same description from the authors, “Zeus is software to steal personal user data from remote system…”.

Zeus is the most popular financial malware on the Net today. a-squared Anti-Malware detects this malware as Trojan-Spy.Win32.Zbot. Zeus is also known as Zbot, Kollah, Pakes, PWSZbot, Banker, or Wsnpoem, as seen from this VirusTotal scan results:

Zeus contains the following modules:

• Zeus Web Control Panel (to control the botnet)
• Zeus Builder (to create the bot, and to encrypt the configuration file)
• Zeus BackConnect

The screenshot of Zeus builder:

Usually, the bot spreads by email. At the infected machine, he will contact the server to request a configuration file that contains a list of sites that are mostly online banking.

Bot is written in C++, and its encrypted. From one of our sample, this malware have such as characteristics:

The bot file using fake version information:

When executed, its try to copy itself to the following location, appends a random of data (junk) at the end of the file, and also its hidden from Explorer, because its hook API NtQueryDirectoryFile:

• %SystemRoot%System32sdra64.exe

The bot may then create some of the following files, and its hidden too:

• %SystemRoot%System32lowseclocal.ds
• %SystemRoot%System32lowsecuser.ds
• %SystemRoot%System32lowsecuser.ds.lll

Using IceSword, the hidden files and directory can be seen:

It creates one of the following mutexes:

• _AVIRA_2110
• _AVIRA_2101
• _AVIRA_2108
• _AVIRA_2109
• _AVIRA_21099

Then it enumerates process to checks for the presence of the following programs:

• outpost.exe (Outpost Personal Firewall)
• zlclient.exe (ZoneLabs Firewall)

Inject its own code to the following process:

• winlogon.exe
• svchost.exe
• explorer.exe

It also modify the following registry entry, so the bot can run automatically whenever Windows starts:

Once decrypted, we seen some interesting strings:

And here’s another strings:

Asystem
Asoftware
Awinsta0
ASetErrorMode
A*%u.%u.%u.%u*
Adefault
Agdiplus.dll
Aole32.dll
Agdi32.dll
ADISPLAY
AGdiplusStartup
AGdiplusShutdown
AGdipCreateBitmapFromHBITMAP
AGdipDisposeImage
AGdipGetImageEncodersSize
AGdipGetImageEncoders
AGdipSaveImageToStream
ACreateStreamOnHGlobal
ACreateDCA
ACreateCompatibleDC
AGetDeviceCaps
ACreateCompatibleBitmap
ASelectObject
ABitBlt
ADeleteObject
ADeleteDC
Areboot
Ashutdown
Aresetgrab
Aupcfg
Akbot
Arename_bot
Agetcerts
Agetmff
Adelmff
Asethomepage
Abc_add
Abc_del
Ablock_url
Aunblock_url
Ablock_fake
Aunblock_fake
Akos
Arexeci
Arexec
Alexeci
Alexec
Aapplication/x-www-form-urlencoded
AContent-Type: %s
ZCID: %s
AKeys:
ATYPE
AFEAT
APASV
ASTAT
ALIST
Aanonymous
Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
ACustomerServiceMenuEntryPoint?custAction=75
AQ%u: %s
A%u: %s
AAccept-Encoding:
Agetfile
Aaddsf
Adelsf
AGRABBED TAN:
ASKIPPED TAN:
lowsec
user.ds
local.ds
sdra64.exe
SYSTEM
winlogon.exe
svchost.exe
explorer.exe
$UID
_AVIRA_2110
_AVIRA_2101
_AVIRA_2108
_AVIRA_2109
_AVIRA_21099
userinit
softwaremicrosoftwindows ntcurrentversionnetwork
softwaremicrosoftwindows ntcurrentversionwinlogon
softwaremicrosoftwindowscurrentversionrun
csrss.exe
%s_%08X
%08X%08X%08X%X
ntdll.dll
outpost.exe
zlclient.exe
image/jpeg
screens%s%04X_%08X.jpg
driversetchosts
%08X.uf
*.uf
pass
softwaremicrosoftwindowscurrentversionexplorercomdlg32
filesearch%06X_%s
certs%s_%02u_%02u_%04u.pfx

How to remove the infection of Trojan-Spy.Win32.Zbot?

To delete this malware infection, please download and install a-squared
Anti-Malware. Run a full scan on all drives and move all detected items
to the quarantine.

View the full article