Let’s take a look at the last 7 days of suspicious activity in which we find the Xilcter/Zeus Trojan running wild with an average of 864 unique events per customer. This is an average of over 120 per day. It’s becoming more and more evident that propagation of this Trojan has grown significantly. It seems that since the impact of these types of Trojans is based on advertisement and phishing that these infected hosts’ users brush off the advertisement as just another pop up. However, the bigger they are the harder they fall and there are cleaners readily available to remove its grasp.






The Xilcter/Zeus stems from the Win32/Xilcter.A.dll Trojan. It’s able to load a %System%\curslib.dll and %Templates%\curslib.dll. %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32

(Windows XP). %Templates% is a variable that refers to the file system directory that serves as a common repository for document templates. A typical path is C:\Documents and Settings\[UserName]\Templates. It then loads IEXPLORE.EXE and VMwareUser.exe to spawn many different types of advertisement to fool the user into installing or downloading further software.

Most of the major antivirus and anti malware providers have cleaners and detectors to safely remove this Trojan. The best way to mitigate the further growth of this Trojan are the same as any other serious threat on security, if the host is not necessary for production purposes then quarantine the host and provide the user with a spare clean host to always minimize the impact of Trojan spreading throughout your internal networks.

The faster your action plan is the less impact to loss of data, and gives you an opportunity to share information internally on the signs of Trojan activity to users to aid in early detection.




Tags: , , , , ,