Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Find and Remove Zeus (Zbot) Banking Trojan

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

According to Trusteer a security company, “Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. approximately 1% of the PCs in the US)…Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time.”

The report further states that on a sample size of 10000 machines, ” installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23%, compared to running without an anti-virus altogether. The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% – it’s just 23%.” Zeus_and_Antivirus (PDF)

 Find and Remove Zeus (Zbot) Banking Trojan

Image: Trusteer

The Zeus banking trojan is also known as Zbot, WSNPOEM, NTOS and PRG. It steals credentials for various online services like social networks, online banking accounts, ftp and email accounts. It spreads via email and Drive-by-Downloads.

Prevx, an internet security company states in their blog “The criminals are careful to infect just a few PCs with each copy of the Trojan, thereby avoiding detection by honepots/nets and subsequent researcher attention in security labs. By the time each copy of a ZEUS Trojan is identified by security researchers it’s job is done and a new fresh version will be dispatched to takeover its role.”

The blog also briefs on what to look for in a PC that may reveal a Zeus infection:

  • The ZEUS trojan will commonly use names like NTOS.EXE, LD08.EXE, LD12.EXE, PP06.EXE, PP08.EXE, LDnn.EXE and PPnn.EXE etc, so search your PCs for files with names like this. The ZEUS Trojan will typically be between 40KBytes and 150Kbytes in size.
  • Also look for a folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.
  • Finally, check the Registry lloking for RUN keys referencing any of these names. ZeuS Tracker (note: This site uses a self-signed certificate, which is invalid in major browsers. The link may be verified using one of the tools here at Online Website Security Check Tools) reveals the known locations of various versions of Zeus on a Windows system as follows:

Variant 1

  • C:\WINDOWS\system32\ntos.exe
  • C:\WINDOWS\system32\wsnpoem\audio.dll
  • C:\WINDOWS\system32\wsnpoem\video.dll

Variant 2

  • C:\WINDOWS\system32\oembios.exe
  • C:\WINDOWS\system32\sysproc64\sysproc86.sys
  • C:\WINDOWS\system32\sysproc64\sysproc32.sys

Variant 3

  • C:\WINDOWS\system32\twext.exe
  • C:\WINDOWS\system32\twain_32\local.ds
  • C:\WINDOWS\system32\twain_32\user.ds

Variant 4

  • C:\WINDOWS\system32\sdra64.exe
  • C:\WINDOWS\system32\lowsec\local.ds
  • C:\WINDOWS\system32\lowsec\user.ds

Johannes Ullrich, chief research officer for the SANS Institute says “for more technically savvy users” is to check their computer’s registry key, which lists software that will start as a user logs in. The registry key can be found by following this path, he said:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

“ZeuS will add itself to the list, typically as ‘ntos.’ But this name may, of course, change at any time. Some anti-spyware will monitor this key for changes. Whenever anti-malware alerts the user about a change, the user should be highly suspect. But frequently, the alert is quite cryptic.”

There are other “less technical ways” to detect the botnet, he said. “For example, the bot may inject additional pages into online banking login screens. If the user is all of a sudden asked for a secret question, Social Security number or other unusual items during the login process, abort the login, and call your bank or try the login from another computer.”

SecureWorks further reveals that “the location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection.

With Administrator rights:

  • %systemroot%\system32\sdra64.ex
  • %systemroot%\system32\lowsec
  • %systemroot%\system32\lowsec\user.ds
  • %systemroot%\system32\lowsec\user.ds.lll %systemroot%\system32\lowsec\local.ds

Without Administrator rights:

  • %appdata%\sdra64.exe
  • %appdata%\lowsec
  • %appdata%\lowsec\user.ds
  • %appdata%\lowsec\user.ds.lll
  • %appdata%\lowsec\local.ds

ZeuS also makes registry changes to ensure that it starts up with Administrator privileges:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
“Userinit” = “C:\WINDOWS\system32\userinit.exe”
“Userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe”

Without Administrator rights:

“Userinit” = “C:\Documents and Settings\<user>\Application Data\sdra64.exe”

MMPC weighs in with a way to check for the existence of Win32/Zbot infection manually using Windows command prompt:

“A clean system by default should not have any unique ID made by the malware, so if you run the following:

  • REG QUERY “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network” /v UID

– or –

  • REG QUERY “HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network” /v UID

an infected machine would return the following data in the following format:

  • _ (for example, COMP1_00038EB9)

The userinit startup key specifies what program should be launched right after a user logs on to Windows. Win32/Zbot adds its path into the data value and protects that value from being changed while it is active. Running the following query returns the Zbot program:

  • REG QUERY “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v userinit

Trend Micro blogs that the recent variants (as of 26 Apr 2010), use random names for files and directories in a major change. The eariler variants used fixed file names. In addition this trojan now inject themselves into ctfmon.exe, explorer.exe, rdpclip.exe, taskeng.exe, taskhost.exe and wscntfy.exe.

“From this list, we can see that the new ZBOT version now “features” support for both Windows Vista and Windows 7. Taskeng.exe and Taskhost.exe are processes both found in Windows Vista and Windows 7 though neither were found in older versions such as Windows XP.”

Symantec confirms that the new variant “is now known as version 2.0 (named after the Trojan builder kit version).

Version 2.0 adds the following registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”{[VOL_GUID]}” = “%User Profile%\Application Data\\.exe”

(Where [VOL_GUID] is the volume GUID of WINDOWS mount point. And , is generated based on Mersenne’s Pseudo random number generator.)”

How to remove Zeus (Zbot) – Zeus (Zbot) Removal

Run a full-system scan with an up-to-date antivirus and optionally an antimalware product to find and remove Zeus (Zbot) infection.

Recommended free antivirus software:

Alternatively an online malware scanner like Trend Micro HouseCall or Windows Live OneCare safety scanner may also be used to scan your system for bot infection. More Online Anti-virus Scanners.

Recommended free antimalware software:

With just 23% detection rate for an up to date anti virus against this trojan in the wild, Will the common user ever feel confident enough to make secure online transactions?

Related: Is your PC part of a Zombie Botnet? Check now!

Updated on 06 May 2010.

You may also like to read

{ 6 comments… read them below or add one }

PC Security July 4, 2010 at 1:11 PM

We were able to successfully disinfect a test machine manually with the above information and running super antispyware along with Autoruns. Super-Antispyware is a great tool.


Richard August 11, 2010 at 5:46 PM

FYI The zeus tracker site link gives a warning in Firefox 3.6.3 due to an insecure self signed https certificate, which raises concerns and makes it difficult to progress.


Shanmuga August 11, 2010 at 7:55 PM

Yes, they do use a self-signed certificate…it’s flagged as such by all major browsers. The genuineness of the link may be verified by using one of link verification tools available here at Online Website Security Check Tools. But I agree that not many would take the trouble. I will add a note next to the link.

Brendon Morgan August 12, 2010 at 7:42 AM

Thanks for this useful share. Was able to successfully remove ZBot from a colleague’s computer following this guide.


Mark September 29, 2010 at 2:59 PM

Yet another reason why not using Windows is better for security, using Linux I never have these issues and I can use all my online banking facilities without worry…plus I ignore emails I know nothing about or which are obviously fake (look in the email headers)…


talvi November 8, 2010 at 2:42 PM

Why isn’t Spybot listed here? In addition to being a free anti mal/spyware app it has a tiny module called Tea Timer that monitors changes to the registry and allows the user to block any unwanted attempts to make changes. It is free, and it is miniscule: 5kb (yup 5KB not 5MB) having no effect on system speed at all. Spybot also allows users to see all programs that are set to run at start up, provides information on them, advises on whether they are essential or not, and allows them to be disabled before deleting them if they prove unnecessary or unwated. Another free app called Crap Cleaner also allows the startup file list to be monitored etc, the registry to be cleaned of “bad” keys, and so on.


Leave a Comment

{ 7 trackbacks }

Previous post:

Next post: