f%$king zeus...
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: f%$king zeus...

Hybrid View

  1. #1

    Unhappy f%$king zeus...

    I have some variant of the Zeus virus on my system. I have Avira and have it set to auto update, auto scan every 24 hr.. But this variant of Zeus does not seem to be found by Avira.
    Since I don't want to give up yet and reimage my system, I'm using a different system to log on to my financial sites and use ebay / paypal so as to avoid my login info being harvested.

    Something I'm noticing may or may not be related...

    When I issue the netstat command at a prompt I get what seems to be port loops.
    Below is an example of the output from netstat, and the number of "loops" like the one below varies from time to time. Port numbers vary also. I do have Spybot installed, and use the passive protection features to modify my hosts file. I'm guessing these "loops" are foiled attempts from malware / spyware to download more of its kind to my system?
    I'm not really understanding the need for my PC to talk to itself outside of the OS??

    Code:
    Proto       Local                   Foreign                    State
    -------------------------------------------------------------
    TCP        black:2002            localhost:2856           ESTABLISHED
    TCP        black:2856            localhost:2002           ESTABLISHED
    TCP
    I'd appreciate anyone who can bring a little clarity to this seemingly odd behavior.

    Thank you
    Analog = Classical
    Digital = Techno

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Found the following writeup on Zeus. This is actually a member of the Trojan.Zbot family. I didn't have enough time to go through it in detail but it may provide you some insight as to what's going on and how to get rid of it.

    http://www.symantec.com/connect/blogs/kneber-zeus

    Cheers:
    DjM

  3. #3
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    netstat -ao or just o .. so that you get process (ID) that is establishing the connection.

    or

    use TCPview by Systeminternals

    Use process explorer (systeminternals) to take a copy of the exe file and either directly send it to avira or check it on virustotal.com to see if avira and others have a detection for it.


    Stop using the machine till there is an update and the malware is removed from the machine.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  4. #4
    Quote Originally Posted by ByTeWrangler View Post
    netstat -ao or just o .. so that you get process (ID) that is establishing the connection.

    or

    use TCPview by Systeminternals

    Use process explorer (systeminternals) to take a copy of the exe file and either directly send it to avira or check it on virustotal.com to see if avira and others have a detection for it.


    Stop using the machine till there is an update and the malware is removed from the machine.
    I'm going to try this solution, thanks ByTeWrangler... I got rid of it temporarily... or thought I did because for a while, I did not get the fake ebay page after login. But then after a reboot I tested again and the browser injection/redirection was happening again. I think whatever program I was scanning / cleaning with got rid of one copy but didn't remove the registry entry or some other copy. Hadn't tried anything with safe mode.

    I'll try to get a copy of the infected executable and submit it to Avira. I put my trust in the software for quite some time and have never had a problem. But like many people say, "don't put all your eggs in one basket".

    I have tried so many different programs its hard to remember which one temporarily did the trick... but I've been using TRK pretty frequently on customer systems. It's nice that the scripts run different scanners sequentially, but I haven't read up on automating the updating and scanning of all engines without user interaction.
    Analog = Classical
    Digital = Techno

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi there blakdeth,

    This Microsoft Malware Protection Centre article may be of interest?

    http://blogs.technet.com/mmpc/archiv.../got-zbot.aspx

    Personally, I generally try to remove malware in safe mode, as it does tend to limit some things that might otherwise start.

    You might also look at CCleaner as it can wipe some of the places that malware can lurk. It also has a registry cleaning utility so you might get some mileage if you can kill the malware and then run both the cleaner and the registry fixer.

    http://www.ccleaner.com/

    Good Luck!
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    Zeus is a NASTY bot. I just attended a presentation outlining some of its features. I would highly suggest reimaging the machine. One of the bot's main features is to steal credentials. It is highly sophisticated, and can get around several security measures [secureID, security questions, captchas, etc]. If you are in an organization, I would suggest checking the other machines on the network.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  7. #7
    Junior Member
    Join Date
    Mar 2010
    Posts
    1
    I concur with westin: reimage/reinstall the machine. If you can't, though, and you want to try your hand at cleaning it up, try the How-To-Geek's sequence: http://www.howtogeek.com/howto/9317/...virus-malware/

    The unlinked, abbreviated version:

    •Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
    •If that doesn’t work, reboot your PC into safe mode with networking (use F8 right before Windows starts to load)
    •Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
    •Reboot your PC and go back into safe mode with networking.
    •If that doesn’t work, and safe mode is blocked, try running ComboFix. Note that I’ve not yet had to resort to this, but some of our readers have.
    •Install MalwareBytes and run it, doing a full system scan. (see our previous article on how to use it).
    •Reboot your PC again, and run a full scan using your normal Antivirus application (we recommend Microsoft Security Essentials).

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    My normal approach would be to re-image, as clients don't like paying for "clever stuff"

    However, if you feel inclined you might like to try:

    MALWAREBYTES:

    http://www.malwarebytes.org/

    And A-SQUARED:

    http://www.emsisoft.com/en/software/free/

    Naturally the usual "rules" apply that is, update and run them in safe mode.

    Incidentally, you say you have Spybot................. have you tried a full scan with that in safe mode?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    Slightly OT, but I have heard that a lot of Malware infections can be mitigated if you disallow executables from running from %temp% and c:\windows\temp. This can easily be done with software restriction policies, either in the local policy editor, or group policy.

    I think I will give it a shot when I get back to work, and see if anything blows up on me. :-P
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  10. #10
    Banned
    Join Date
    Jan 2008
    Posts
    605
    None of which really means anything if your not even logged into the proper account to begin with.

    Thats why most malware these days GetTokenInformation through the advapi32 library to check if your admin or not. Then popup a dialog box along the lines of, "Pretty please... disable UAC and run this as admin. I dare you!"

Similar Threads

  1. dark zeus
    By AphexTwin in forum AntiOnline's General Chit Chat
    Replies: 6
    Last Post: June 6th, 2002, 05:28 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides