What's new

Tutorial How To Deal With Zusy Spyware

Xerodeu

Forum Veteran
Joined
Jul 18, 2020
Posts
623
Solutions
1
Reaction
1,350
Points
701
Zusy Malware Information:

-This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following files:

  • %Application Data%\{random folder 1}\{random file name 1}.exe - also detected as TSPY_ZBOT.ZUSY
  • %Application Data%\{random folder 2}\{random file name 2}.{random extension}
  • %Application Data%\{random folder 2}\{random file name 2}.tmp
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)



It creates the following folders:

  • %Application Data%\{random folder 1}
  • %Application Data%\{random folder 2}
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

This Spyware Add A Following Registry To Start Every Startup Of The Operating System
*HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run

{GUID} = "%Application Data%\{random folder 1}\{random filename 1}.exe

System Modification Registry of the malware

*HKEY_CURRENT_USER\Software\Microsoft\
{random key}

How To Remove The Spyware:
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must You do not have permission to view the full content of this post. Log in or register now. to allow full scanning of their computers.*(Use Malwarebytes And Turn On Scan For Rootkits And Use Expert System Algorithm To Scan The System)

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3
Restart in Safe Mode


Step 4
Delete this registry value

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this You do not have permission to view the full content of this post. Log in or register now. first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {GUID} = "%Application Data%\{random folder 1}\{random filename 1}.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %System%\explorer.exe = "%System%\explorer.exe:*:Enabled:Windows Explorer"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • WarnonBadCertRecving = "0"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • EnableSPDY3_0 = "0"

Step 5
Reset Internet security settings

Step 6
Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_ZBOT.ZUSY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this You do not have permission to view the full content of this post. Log in or register now. for more information.
Step 7

The following created files/folders/registry keys/registry entries cannot be identified by the user since there are no reference values in the created key. The only way it can be identified is by comparing the present system information with a backup. Note that the said components do not have to be deleted since it won't be harmful to the system.
  • HKEY_CURRENT_USER\Software\Microsoft\{random key}
  • HKEY_CURRENT_USER\Software\Microsoft\{random key}
    • {GUID} = "{random values}"
  • %Application Data%\{random folder 1}
  • %Application Data%\{random folder 2}
  • %Application Data%\{random folder 2}\{random file name 2}.tmp
  • %Application Data%\{random folder 2}\{random file name 2}.{random extension}
 

Similar threads

About this Thread

  • 2
    Replies
  • 329
    Views
  • 3
    Participants
Last reply from:
Sunroof

Online statistics

Members online
1,238
Guests online
5,502
Total visitors
6,740
Back
Top