The Zeus Virus is the popular term for the Zeus banking Trojan virus recently used to steal banking account details and passwords in the U.K. Resulting in a loss of more than $850,000 for those infected. The Zeus virus has been around for a number of years as part of the larger Zeus Crimeware Toolkit, and is available for purchase through rogue hacking forums across the Internet. Criminals who purchase the Zeus Crimeware kit are given a web interface panel to control the deployment and use of the Trojan as well as an additional tool to create new Trojan binary files and encrypt the configuration file used by the virus. Other names that the Zeus Virus are known by include: PRG, NTOS, Zbot, and WSNPOEM.

How Does the Zeus Virus Infect a Computer?

The Zeus Trojan infects computers in one of two ways: infected email attachments, and infected computer downloads. Particularly nasty with the Zeus Trojan is that deployments of the malware infect otherwise legitimate sites as one means of delivery to targeted computers. When a computer is initially infected, the Trojan will create a folder in, “%windir%system32wsnpowem” where it will save “audio.dll” and “video.dll.” These files are then used to save information stolen from the computer under attack as well as the the configuration file that is downloaded after infection. The folder will then be hidden by the Trojan after creation. Next, the virus will copy itselfo “ %windir%system32ntos.exe” and in certain modifications of the virus will rename itself to “oembios.exe” in the same location. After this step, the virus will check the running processes on the computer for active computer firewalls. If there are none, it will then conduct registry modifications in order to run the malware on computer start-up and continue to spread throughout the computer.The Zeus Virus

How Does Zeus Steal Data?

The Zeus Trojan is designed to steal sensitive banking information and then upload it to a secure, remote server identified in the virus configuration file. The file also identifies websites for the Trojan to target for infection to help further spread itself. After infection, Zeus will capture information entered onto on-line banking sites and sends this to the remote server. Some variants of the Trojan are able to display fake web pages for banking as an alternative option to directly stealing the data from the webform entry. The Trojan also includes the capability to take screenshots and intercept passwords for FTP and POP3 email accounts.

Removing the Zeus Virus

Step 1 – Disable System Restore on your computer. To do so, choose the “Start,” “Settings,” and “My Computer” icons. Then, select “Properties” and the “System Restore Tab.” Click “Turn off System Restore” on all drives. Choose the “Apply,” “Yes,” and “Ok” menu buttons to confirm the change in status. *Note, after removal of the Zeus virus, you will need to turn System Restore On.

Step 2 – Restart the computer in Windows Safe mode by depressing the “F8” key during normal restart. Choose the subsequent menu option “With Networking” when prompted.

Step 3 – Update your computer antivirus program definitions. The majority of commercial antivirus programs will have an option to do so on the primary antivirus program control panel.

Step 4 – Run a complete antivirus scan of all of your computer's drives.

Step 5 – Open Windows Explorer by depressing the “Windows” and “E” keys simultaneously. Then, enable viewing of hidden files by selecting the “Tools,” and “Folder Options” menu choices. Select the “View” menu tab and click “Show Hidden Files and Folders.”

Step 6 – For each of the variants of Zeus, navigate to the location and verify the associated files are deleted. If they are not, delete the files.

Zeus Variant1:

WINDOWSsystem32ntos.exe

WINDOWSsystem32wsnpoemaudio.dll

WINDOWSsystem32wsnpoemvideo.dll

Zeus Variant2:

WINDOWSsystem32oembios.exe

WINDOWSsystem32sysproc64sysproc86.sys

WINDOWSsystem32sysproc64sysproc32.sys

Zeus Variant3:

WINDOWSsystem32twext.exe

WINDOWSsystem32twain_32local.ds

WINDOWSsystem32twain_32user.ds

Zeus Variant4:

WINDOWSsystem32sdra64.exe

WINDOWSsystem32lowseclocal.ds

WINDOWSsystem32lowsecuser.ds

Step 7 – Ensure registry entries made by the Zeus Trojan have been removed. To open the registry, select the “Start” and “Run” menu buttons followed by entering “REGEDIT” followed by the “Enter” key. If the following entries exist, delete by single clicking the entry followed by clicking the “delete” key.

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun"userinit" = "%System%ntos.exe"

HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun"userinit" = "%System%ntos.exe”

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork"UID" = "[COMPUTERNAME]_[UNIQUE_ID]"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer"{6780A29E-6A18-0C70-1DFF-1610DDE00108}" = "[HEXADECIMAL VALUE]"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer"{F710FA10-2031-3106-8872-93A2B5C5C620}" = "[HEXADECIMAL VALUE]"

 

Step 8 – Exit the Registry and restart your computer normally. After the system has restarted, turn Windows System Restore on and the Zeus virus will be removed.