Am I infected with Zeus virus? Files that are associated with the notorious virus

Zeus reigns the No. 1 position in the most dangerous financial malware list

Zeus virus is a malicious computer program that is also known as Zbot Trojan horse[1]. This harmful computer program targets Windows operating systems and it often employed by cyber criminals to take control over victims’ computers and steal sensitive data such as banking information by logging victim’s keystrokes. The malware first emerged in 2007[2], although its distribution accelerated in 2009. The malware is tricky, uses sophisticated obfuscation techniques and tends to remain in the computer system without showing any signs of existence; therefore it takes special skills to identify it, not to even talk about its removal. On top of that, the malicious virus is generated by numerous cyber frauds using Zeus Toolkit, a tool that allows creating customized virus variant with preferable remote control options. The sneaky program is mostly distributed via phishing emails that contain links or attachments laden with malware, drive-by downloads, and possibly other malware distribution measures.

Zeus-related tech support scams

However, the name of Zeus trojan became a popular word to use in social engineering attacks[3]. Lately, it attracted cybercriminals’ attention, and they decided to use the name of this well-known and widespread virus in their fraudulent schemes without actually using the malware itself. Malevolent actors cooked up an idea to trick unsuspecting victims into calling tech support scammers for help by displaying deceptive messages on their computer screens with the help of adware-type or screen-locking malware. Such pop-ups can appear after visiting a malicious domain or simply if the computer is infected with the described ad-supported or screen-locking malware. These warnings usually announce about “malicious activity on the system” or that “Zeus virus was detected on the system” and urge the victim to call “certified experts at Microsoft” for help. Unfortunately, calling the scammers will not help to solve the problem – vice versa, the victim will end up facing even more issues. Scammers tend to require remote access to the allegedly infected computer with an intention to find valuable information or place additional malware on the system. In some cases, they suggest buying overpriced security software packs by logging into insecure payment websites. It is clear that the aim of these scammers is to swindle whatever is valuable from the victim – money or information. However, how the victim is supposed to know if he’s dealing with the real virus or a scam?

Identifying the virus – what files are associated with Zeus?

The real Zeus virus consists of a toolkit (used by attackers), an executable which can be named however the attacker wants; however, most kits create one of the following files:

  • Ntos.exe;
  • Oembios.exe;
  • Twext.exe;
  • Sdrwa64.exe;
  • Pdfupf.exe.

The virus then creates a lowsec folder in the System or Application Data folder and drops configuration file that will have one of the provided names: video.dll, sysproc32.sys, user.ds or ldx.exe.

Summarizing the information we provided, there is one detail that helps to understand whether the system is infected with Zeus virus or not. The truth is, if the computer won’t fully load or if it randomly opens a web browser and displays warnings that the system is infected with Zeus, it’s probably not. In such case, the victim has to deal with tech support malware and find the program that prevents access to the system/controls web browsers to serve these deceptive messages and eliminate it using a professional malware removal tool. When dealing with the real Zeus virus, there will be no signs of its existence – the only thing that can unveil its presence is an anti-malware program. Sadly, the majority of victims identify the infection only after checking their bank balance and discovering numerous unauthorized money transfers.

Ugnius Kiguolis