Pin Me

Protecting a Computer From the Zeus Virus

written by: Karishma Sundaram•edited by: Jean Scheid•updated: 5/20/2010

One of the most notorious financial malware infections, Zeus, has reared its ugly head a number of times and under many guises. This article focuses on protecting a computer from a Zeus virus by staying vigilant and knowing where to look for a possible infection.

  • slide 1 of 3

    What is the Zeus Virus?

    Trojan There are differing opinions as to the exact nature of the Zeus virus. Some claim it is a Trojan, others insist it is a virus. One thing is for certain, the Zeus malware is quite dangerous.

    Zeus settles into a computer to extract financial information from users. Ordinarily the virus waits for a user to log into a banking or online payment site and then steals the typed in information from the web page. In another avatar, the virus inserts HTML into the browser via secure web pages. The user then assumes the site belongs to the financial institution in question and provides the requested data accordingly. In these scenarios, the information is sent to the attacker not the institution without either financial organization or the user being any the wiser.

    This method is used to extract as much information as possible from the user because the attacker has the freedom to design the fake web page in any manner that he or she chooses.

  • slide 2 of 3

    Detecting a Zeus Infection

    When considering protecting a computer from a Zeus virus, keep in mind that the malware masquerades under a number of monikers, which perhaps contributes to the difficulty of getting rid of it. It is also known as Zbot and Kneber, among many other names.

    The easiest way to determine whether a computer is infected with the Zeus virus is to examine the operating system processes for any anomalies. Typically, the virus processes will have file names like one of the following examples:

    • ntos.exe
    • ld08.exe
    • ld12.exe
    • pp06.exe
    • pp08.exe
    • ldnn.exe
    • ppnn.exe

    Alternatively, these files can be located in the file system of the infected computer and a search should easily reveal them. If the files and processes are hidden from a user, a sure-fire way to detect an infection is to examine the registry key:

    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit.

    If the key has an entry for ntos.exe, the computer is infected with Zeus.

    A user should be suspicious if a website suddenly asks for private information, in the midst of a transaction, for example. There are legitimate reasons why a site would require authentication from time to time, however, there is always a logical sequence. If the user encounters a request for information, it is best to try logging in from another machine to be absolutely sure of legitimacy.

  • slide 3 of 3

    Protection is Your Best Bet

    Detection rate for the Zeus virus is sadly low, especially when considering the rate at which it can spread. Although there are chances that the malware may slip through defenses, the best method to keep out Zeus is to have a good antivirus program with an up-to-date virus definition database. It is a common misconception, however, that every antivirus software is impenetrable. It is vital to have a triad of Internet security applications: an antivirus, a firewall, and a good antispyware application.

    Removal is slightly more complicated if the infection is detected manually rather than through an antivirus application. Usually the virus files are protected from rootkits and removal involves changing the permissions of the registry key. An anti-malware application will monitor the registry key for modification, thereby alerting the user to potential infections.

    Protecting computers from a Zeus virus is not difficult, but if left undetected, it can be harmful. Use multiple applications and check files often to ensure your financial information is safe and secure.