How do I detect and remove the S_Gozi infection?

Posted on 2012-08-23
Last Modified: 2013-11-22
I have been informed by Spamhaus that the IP address we use for corporate email has communicated with a known spam site and is either infected by, or NATing for, a computer that is infected by the S_Gozi trojan / downloader.

It states that the infection is extremely difficult to detect and is not seen by most commercial AV or EndPoint protection suites. We are using McAfee Enterprise and all of the computers on the system are clean according to that.

What particular tracks does this infection leave on a machine? How do I detect and remove it? Is there a tool that works for finding this infection?
Question by:Norm Dickinson
    LVL 7

    Accepted Solution

    Search your enterprise for the file "xx_ymvb.exe" residing in the "C:\Documents and Settings\<username> folder.

    The trojan is often identified as the following:
    Agent.AAV (AntiVir, Sunbelt) or Agent.BB (Microsoft)
    Pinch.B (BitDefender)
    Small.BS (VBA32, TheHacker, Ewido, eSafe, Fortinet, Kaspersky)
    Some other variant of Small (VirusBuster, UNA)
    Ursnif.AG (eTrust VET)

    But as you have been told, it often goes undetected.

    Here is some EXTENSIVE information on the trojan, that will help you find it, if it is on your network:

    There is a Snort rule at the bottom if you have Snort our Sorucefire IDPS to help detect.
    LVL 13

    Author Closing Comment

    by:Norm Dickinson
    Thank you - that is exactly what I needed to continue toward the solution.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now