Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How do I detect and remove the S_Gozi infection?

Posted on 2012-08-23
Medium Priority
Last Modified: 2013-11-22
I have been informed by Spamhaus that the IP address we use for corporate email has communicated with a known spam site and is either infected by, or NATing for, a computer that is infected by the S_Gozi trojan / downloader.

It states that the infection is extremely difficult to detect and is not seen by most commercial AV or EndPoint protection suites. We are using McAfee Enterprise and all of the computers on the system are clean according to that.

What particular tracks does this infection leave on a machine? How do I detect and remove it? Is there a tool that works for finding this infection?
Question by:Norm Dickinson

Accepted Solution

southpau1 earned 2000 total points
ID: 38324691
Search your enterprise for the file "xx_ymvb.exe" residing in the "C:\Documents and Settings\<username> folder.

The trojan is often identified as the following:
Agent.AAV (AntiVir, Sunbelt) or Agent.BB (Microsoft)
Pinch.B (BitDefender)
Small.BS (VBA32, TheHacker, Ewido, eSafe, Fortinet, Kaspersky)
Some other variant of Small (VirusBuster, UNA)
Ursnif.AG (eTrust VET)

But as you have been told, it often goes undetected.

Here is some EXTENSIVE information on the trojan, that will help you find it, if it is on your network:

There is a Snort rule at the bottom if you have Snort our Sorucefire IDPS to help detect.
LVL 13

Author Closing Comment

by:Norm Dickinson
ID: 38325095
Thank you - that is exactly what I needed to continue toward the solution.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question