zeus.zbot.aoaq: How to Find and Remove Zeuszbotaoaq Banking Trojan

zeus-zbot-aoaq-how-to-find-and-remove-zeuszbotaoaq-banking-trojanZeus.zbot.aoaq, The Zeus banking trojan is also known as Zbot, WSNPOEM, NTOS plus PRG. It steals credentials for various online services like social networks, online banking accounts, ftp plus email accounts. It spreads via email and drive-by-DownloadsAVG Antivirus Free Edition is trusted antivirus and antispyware protection for Windows available to download for free. In addition, the new includes LinkScanner Active Surf-Shield checks web pages for threats at the moment all that matters – when you are about to click on that link.

Zeus.zbot.aoaq,Does Avast 5 detect ZeuS.Zbot.aoaq banking trojan virus??[ I got the same notification from ZoneAlarm just a few minutes ago plus none from avast. This page says that Avast Home Edition will detect it –

Tech Blog of Sweden: Varning för nytt “bank”-virus via Zonealarm!

17 sep 2010 De varnar för ett ny trojan, Zeus.Zbot.aoaq, som kan ta pengar från Läs mera om Zeus.Zbot.aoaq! Enligt reklamen så fixar ZoneAlarm det

Sep 16, 2010 global virus alert, your pc may be in danger: zeus.zbot.aoaq is a new trojan that steals banking passwords plus financial account data,

Weird sign popped up : zonealarm global virus alert? Yahoo! Answers

Does Avast 5 detect ZeuS.Zbot.aoaq banking trojan virus.

Sep 13, 2010 ZeuS.Zbot.aoaq is a new variant of a financial Trojan virus that steals banking ZeuS.Zbot.aoaq Protection Results – Independent Test

How to Find and Remove Zeuszbotaoaq Banking Trojan: According to Trusteer a security company, “Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. approximately 1% of the PCs in the US)…Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time.”

The report further states that on a sample size of 10000 machines, ” installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23%, compared to running without an anti-virus altogether. The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% – it’s just 23%.” Zeus_and_Antivirus (PDF)

The Zeus banking trojan is also known as Zbot, WSNPOEM, NTOS and PRG. It steals credentials for various online services like social networks, online banking accounts, ftp and email accounts. It spreads via email and Drive-by-Downloads.

Prevx, an internet security company states in their blog “The criminals are careful to infect just a few PCs with each copy of the Trojan, thereby avoiding detection by honepots/nets and subsequent researcher attention in security labs. By the time each copy of a ZEUS Trojan is identified by security researchers it’s job is done and a new fresh version will be dispatched to takeover its role.”

The blog also briefs on what to look for in a PC that may reveal a Zeus infection:

* The ZEUS trojan will commonly use names like NTOS.EXE, LD08.EXE, LD12.EXE, PP06.EXE, PP08.EXE, LDnn.EXE and PPnn.EXE etc, so search your PCs for files with names like this. The ZEUS Trojan will typically be between 40KBytes and 150Kbytes in size.
* Also look for a folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.
* Finally, check the Registry lloking for RUN keys referencing any of these names.

abuse.ch ZeuS Tracker (note: This site uses a self-signed certificate, which is invalid in major browsers. The link may be verified using one of the tools here at Online Website Security Check Tools) reveals the known locations of various versions of Zeus on a Windows system as follows:

Variant 1

* C:\WINDOWS\system32\ntos.exe
* C:\WINDOWS\system32\wsnpoem\audio.dll
* C:\WINDOWS\system32\wsnpoem\video.dll

Variant 2

* C:\WINDOWS\system32\oembios.exe
* C:\WINDOWS\system32\sysproc64\sysproc86.sys
* C:\WINDOWS\system32\sysproc64\sysproc32.sys

Variant 3

* C:\WINDOWS\system32\twext.exe
* C:\WINDOWS\system32\twain_32\local.ds
* C:\WINDOWS\system32\twain_32\user.ds

Variant 4

* C:\WINDOWS\system32\sdra64.exe
* C:\WINDOWS\system32\lowsec\local.ds
* C:\WINDOWS\system32\lowsec\user.ds

More information here