Can someone explain how a virus did this?

Sorry for the long response time. I can un-encrypt, I was just being lazy. I have many other machines to attend to here, but this is interesting to find out what did this. I'll get it on and see what I can find.

Bubbajoe said:
OP, did your client have any AV protection? I'm guessing not?
Click to expand...

He had up-to-date Managed AV (Vipre) from GFI installed. Management saw nothing bad happen, it slipped right through.
 
schwags said:
Sorry for the long response time. I can un-encrypt, I was just being lazy. I have many other machines to attend to here, but this is interesting to find out what did this. I'll get it on and see what I can find.



He had up-to-date Managed AV (Vipre) from GFI installed. Management saw nothing bad happen, it slipped right through.
Click to expand...

Can you dropbox the attachment or upload it to virustotal?
 
Bubbajoe said:
Can you dropbox the attachment or upload it to virustotal?
Click to expand...

He deleted and emptied deleted mail before even telling me. I know I can go back in exchange and get it, but i'm really hesitant to take even the smallest chance at causing more issues. They are a financial company with lots to lose.
 
MikeLierman said:
Zeus is a malware/virus. Man In The Browser is the term used to describe what is going on. There are other viruses besides Zeus that do Man In The Browser attacks. Not all Zeus variants use Man In The Browser.
Click to expand...

What variants?

This has all the earmarks of Zeus. Google "In order to provide you with extra security, we occasionally need to ask for additional information when you access your accounts"....
 
Bubbajoe said:
What variants?

This has all the earmarks of Zeus. Google "In order to provide you with extra security, we occasionally need to ask for additional information when you access your accounts"....
Click to expand...

Yes it sounds like it probably is a Zeus variant.

If you look up the wikipedia entry on Zeus it states early on that it can be modified to steal all sorts of information - implying many variants. One variant is used to install Cryptolocker rather than fake web form popups.
 
There is another virus that acts very very similar to Zeus but I do not recall the name of it. Either way malware bytes antirootkit will likely detect whatever is infecting the machine.
 
ComputerRepairTech said:
There is another virus that acts very very similar to Zeus but I do not recall the name of it. Either way malware bytes antirootkit will likely detect whatever is infecting the machine.
Click to expand...

The problem is Zeus has been open source for a little while. Anyone can get the code from github. https://github.com/Visgean/Zeus. Of course that's just partial code, the rest is floating around somewhere.

There's a variant called ZeusVM that hides in jpg images. http://www.scmagazine.com/new-variant-of-zeus-banking-trojan-concealed-in-jpg-images/article/334477/

Here is a digitally signed variant, discovered couple weeks ago. http://www.theregister.co.uk/2014/04/05/digitally_signed_zeus/

They say the creator retired, if that's true, someone has to be making variants. A customer came in with a new Zeus infection the other week. It was downloading updates to itself from various offshore servers, Amazon hosting servers, and from files on mookie1.com domain. I find trojans like Zeus, TDSS, Purple Haze, and ZAccess all very fascinating.

Sadly, these kinds of malware are not going away. Stealing credit cards is easy money and almost the "perfect crime." (There is no perfect crime, but still.)
 
Last edited:
Just wanted to post a followup, I un-encrypted and scanned with an offline scanner. Here are the results.

3Vay2V8.jpg


Z-bot it is!
 
Things you could try:
freeware programs such as
1) malwarebytes antiexploit (very good), and
2) hitman pro alert (also very good).
3) run firefox
4) add noScript addOn to firefox
5) add adblocker plus to firefox
6) run (gasp) symantecs old NoScript.exe that turns off wsh, vbs, and java.
7) run a virtual machine with cpu virtualization.
8) use a non writable hardware solution such as: http://www.ebay.com/itm/like/261322015154?lpid=82
9) use Linux
10) use an hp mini dual core with 2 pwr buttons, one for Linux thin client with web, one for windows 7.
11) use only browsers that have built in sandboxing like i.e. or firefox
12) always empty accumulated web trash on browser close
13) use spybots immunizer
14) restrict internet zone to only allow your bill pay url's
 
Last edited:
You must log in or register to reply here.

Similar threads

britechguy
PayPal's Page on "How to Identify Fake Messages"
Replies
1
Views
513
xrobwx71
xrobwx71
Velvis
Weird Gmail/Contacts issue
Replies
1
Views
183
britechguy
britechguy
thecomputerguy
Employee productivity monitoring software ...
Replies
7
Views
687
Diggs
Diggs
HCHTech
reading M365 encrypted email
Replies
1
Views
174
Sky-Knight
Sky-Knight
Appletax
[REQUEST] Need a printer rec. for a 90 year old businessman
Replies
12
Views
898
britechguy
britechguy
Back
Top