1 2 Previous Next 14 Replies Latest reply on Sep 2, 2011 11:04 PM by Hayton

    Trojan:GOZI

    golfer1john

      My bank tells me I am infected with Trojan:Gozi.  This is a Russian keylogger that has been around since 2004.  There are some recent items on the Internet about there being a new version of it starting late 2010, but no details as to how to detect or remove it.  I do not have the symptoms reported in 2004 (i.e., registry entries or files in My Documents that are only visible in SAFE mode).

       

      McAfee says my machine is fine, full scan finds nothing.  Everything is up to date.  I did a Chat with McAfee tech support, and Kevin told me that McAfee antivirus program is able to detect Trojan:Gozi.  I believe that may be true of the 2004 version of it, but I am not sure about this latest one.

       

      Another related problem is that I don't know which of the two computers I use is supposed to be infected, my own or the one I use at work.  Both have McAfee.  The bank gave me a 7-digit number that is supposed to identify the infeced machine, but it does not match the 7-digit Service Tag on either machine.  McAfee offered to disinfect me for $89, but I don't even know which machine to have them work on.

       

      The bank (ING Direct) thinks I am infected because their Trusteer program Rapport told them. 

       

      Has anyone else been able to detect and remove this virus? 

       

      Does anyone know if McAfee really detects it or not?

       

      Has anyone had false reports of infection generated by Rapport?

       

      Thanks,

       

      John

        • 1. Re: Trojan:GOZI
          Hayton

          There has been a modified version of this trojan around since last October. There are rumours that it is being modified to have some of the characteristics of the Zeus trojan after the source code for that malware was leaked earlier this year. So it is possible that you have a zero-day infection for which the antidote is not yet ready; however, McAfee claims to be up to date with protection against it. Confusingly, there are two entries for this in the threats database, at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=567716#none

          and http://home.mcafee.com/virusinfo/virusprofile.aspx?key=571217#none, with dates of August 22 and 26. Both entries say you should disable System Restore then download the latest DAT and product files, and run a Full Scan (it doesn't say whether the scan should be done from Safe Mode, which is sometimes advised).

           

          I checked the list of malware that the latest Stinger deals with and did not see this there.

           

          If you go looking for this trojan, be prepared for confusion : according to VirusTotal it has at least 17 different names given it by different AV vendors. See http://www.tidos-group.com/blog/?p=416 for a commentary on this.

           

          I checked Microsoft's Malicious Software Removal Tool to see if it provided coverage for this, and it does not. The Microsoft Threat Encyclopedia entry (not very informative) is HERE.

           

          I don't know much about Rapport, but what little I have heard indicates that it is pretty efficient. I know nothing of any FP's, although there may be some.

           

          So, try running a Full Scan as advised above. If nothing is found, let us know.

          1 of 1 people found this helpful
          • 2. Re: Trojan:GOZI
            golfer1john

            Thanks Hayton,

             

            I updated McAfee on my home computer and ran a full scan on 8/27, and it found nothing.  The scans on my work computer occur on Wednesdays, but I don't control the updating or scheduling, and I don't know if I can see the results of the scan.  I'll try some things now.

            • 3. Re: Trojan:GOZI
              golfer1john

              McAfee updates daily on my work computer, and I'm runnign a full scan now.  I was unable to disable system restore.  Does that matter?  Or is it only to prevent restoring a virus after it has been removed?

              • 4. Re: Trojan:GOZI
                Hayton

                Yes, the reason given to disable system restore is to prevent an infection being saved there.

                 

                I'm not too sure why the scan you ran on the 27th didn't recognise this malware, if indeed the bank is correct that you have it on your machine. When they contacted you did they say anything about the contents of your user agent string? There was a thread here a while back about WebMoney Advisor which explains what I mean and gives links for you to check the contents of your user agent string.

                 

                McAfee has a program called GetSusp which might be of use here. If it turns up nothing, I recommend you do what the other poster did and ask for assistance at BleepingComputer (link HERE). They have expertise in helping to remove particularly tricky infections and, in particular, they use a tool called ComboFix which is not for the inexperienced. The forums at BleepingComputer show one previous case this year of suspected infection by the Gozi Trojan, which in the end was cleaned by a combination of Malwarebytes (the free version of which I suggest you run anyway) and ESET.

                • 5. Re: Trojan:GOZI
                  Hayton

                  Any news? What did the full scan report?

                   

                  I found notes of a presentation given this year about Gozi, which you might find useful (link here). The pdf gets a bit technical, but gives some good insights into how it works.

                  • 6. Re: Trojan:GOZI
                    golfer1john

                    I'm in contact with Trusteer, and sent them some logs for analysis.  It is my home computer, not work, the ID they gave me is the last 7 digits of a serial number identifying my installation of Rapport.

                     

                    I ran the stinger, and no hits.

                    • 7. Re: Trojan:GOZI
                      Hayton

                      If it was the Stinger tool you ran then no, it wouldn't. It's like Microsoft's Malicious Software Removel Tool, it only checks for a subset of the most prevalent and reported malware that's around. Gozi is a bit of a niche player, so Stinger wouldn't necessarily cover it.

                       

                      Have you tried GetSusp and Malwarebytes? If all else fails, you could try BleepingComputer or, as I'm sure I will be reminded, you could ask McAfee's Technical Support to investigate the case for you. This would have the advantage (from McAfee's point of view) that they could check to see whether the trojan (if indeed you're infected by a trojan) is a new variant, and, if it is, allow them to update the database.

                       

                      Before you do anything though : have you followed the link to check your user agent string? If there is an unexpected code in there it can be used to confirm the presence of malware, and might tell us what it is.

                      • 8. Re: Trojan:GOZI
                        golfer1john

                        Your User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0

                         

                          That user agent is OK, isn't it?  I don't know what Gecko is.

                         

                        I have Malwarebytes and SuperAntiSpyware, have run them, and they detect nothing unusual.  Some tracking cookies, and a program I wrote myself.  I can't imagine what is in it that would be suspicious.  It's a very crude GO gameboard.

                         

                        Message was edited by: golfer1john on 9/1/11 7:04:58 PM CDT
                        • 9. Re: Trojan:GOZI
                          golfer1john

                          I just ran GetSusp and it identified two suspicious files that I know are OK, my stockbroker's GUI and my Citibank Virtual Account number program.  39 unknowns, either related to those two or IBM driver software.

                          1 2 Previous Next