How do I detect and remove the S_Gozi infection?

I have been informed by Spamhaus that the IP address we use for corporate email has communicated with a known spam site and is either infected by, or NATing for, a computer that is infected by the S_Gozi trojan / downloader.

It states that the infection is extremely difficult to detect and is not seen by most commercial AV or EndPoint protection suites. We are using McAfee Enterprise and all of the computers on the system are clean according to that.

What particular tracks does this infection leave on a machine? How do I detect and remove it? Is there a tool that works for finding this infection?
LVL 13
Norm DickinsonGuruAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

southpau1Commented:
Search your enterprise for the file "xx_ymvb.exe" residing in the "C:\Documents and Settings\<username> folder.

The trojan is often identified as the following:
Agent.AAV (AntiVir, Sunbelt) or Agent.BB (Microsoft)
Pinch.B (BitDefender)
Small.BS (VBA32, TheHacker, Ewido, eSafe, Fortinet, Kaspersky)
Some other variant of Small (VirusBuster, UNA)
Ursnif.AG (eTrust VET)

But as you have been told, it often goes undetected.

Here is some EXTENSIVE information on the trojan, that will help you find it, if it is on your network:
http://www.secureworks.com/research/threats/gozi/

There is a Snort rule at the bottom if you have Snort our Sorucefire IDPS to help detect.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Norm DickinsonGuruAuthor Commented:
Thank you - that is exactly what I needed to continue toward the solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.