Detecting and Removing the ZEUS Banking Trojan

ZEUS has been around in various generations for a few years now. Here is link to an article from 2007 when a ZEUS Trojan infiltrated several prominent us organizations ZEUS infects US organizations.

ZEUS is easily and commonly dropped by an exploit and is also carried via social engineering techniques exploiting job sites and the like. The ZEUS Trojan, or the ZEUS Banking Trojan can also be referred to by security firms as WSNPOEM and Gorhax.

Outwardly, a ZEUS infected PC will show no obvious signs of infection. The ZEUS Banking Trojan is capable of rifling your Internet cache for stored login and password credentials, it can also eavesdrop on keystrokes and screen contents and can even modify a web page with form injection to capture additional fields - just in case what the criminals want to steal isn't already on the page.

As a recent hyped article claimed ZEUS frequently bypasses popular antivirus and internet security suites. The criminals are careful to infect just a few PCs with each copy of the Trojan, thereby avoiding detection by honepots/nets and subsequent researcher attention in security labs. By the time each copy of a ZEUS Trojan is identified by security researchers it's job is done and a new fresh version will be dispatched to takeover its role.

No one has an accurate account of the real numbers of ZEUS infections, but it must run to millions of PCs worldwide. We uncovered a cache of stolen information captured by a ZEUS Trojan earlier this year. This data came from 160,000 PCs infected by ZEUS Trojans. During the six weeks of tracking this crop of infections it reached a peak of 20,000 new PC infections per day.

Now for some tell tale signs of ZEUS. Using this information you will be able to check your PC for signs of infection by ZEUS. You may also use this information to help you remove the ZEUS Trojan, or at least disable it.

The ZEUS Trojan will commonly use names like NTOS.EXE, LD08.EXE, LD12.EXE, PP06.EXE, PP08.EXE, SRA64.EXE, LDnn.EXE and PPnn.EXE etc, so search your PCs for files with names like this. The ZEUS Trojan will typically be between 40KBytes and 150Kbytes in size.

Also look for a folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.

Finally, check the Registry looking for RUN keys referencing any of these names.

Do not assume because your antivirus or internet security suite does not show any signs of infection that your PC does not have the ZEUS Trojan infection.