This article has been created to help explain what is the Zusy Trojan and how to remove it from your computer effectively.
A new Trojan horse has been detected to spread at an alarming rate that surpasses even the WannaCry infection. The malware, called Zusy has been detected to replicate via a worm and then drop what appears to be a cryptocurrency miner, known as Tiggre (other name is Digmein), which aims to overload the CPU and GPU of the affected computers in order to obtain tokens at their expense and credit them to the cyber-crooks behind this outbreak. In case your computer has been infected by the Zeus Trojan, we recommend that you read this article as it will help you remove this malware and restore your PC’s performance to normal.
Threat Summary
| Name | Zusy Trojan |
| Type | Trojan Horse / Worm |
| Short Description | An advanced worm, spreading the Zusy Trojan which downloads different malware on infected computers. |
| Symptoms | All of your data on your computer may be compromised and your PC may experience slow-downs and have it’s CPU and GPU running on their limits. |
| Distribution Method | Replicates automatically from infected machines to infected machines. Able to migrate to different networks. |
| Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
User Experience | Join Our Forum to Discuss Zusy Trojan. |
Zusy Virus – Distribution
In order to be widespread on a serious level, the Zusy Virus uses a worm infection, which has been reported at VirusTotal and uploaded on Twitter by researcher Vess (@VessOnSecurity ).
Source: VirusTotal
The Zusy malware may use advanced exploits since researchers have reported it in VT as being highly evasive. One report by PayloadSecurity indicateds the following replication URLs in relation to the Zusy virus:
PayloadSecurity
2018-08-14
#evasivesubmitname:”ca71f8a79f8ed255bf03679504813c6a.dll.bin”
falcon-threatscore:100/100
memurl:”Heuristic match: down.0814ok.info,Pattern match: hxxp://js.0814ok.info:280/v.sct match: hxxp://wmi.0814ok.info:8888/kill.html;http,Pattern match: hxxp://js.0814ok.info:280/v.sct”
In addition to this, the malware may also have the capability of hijacking flash drives and other external memory carriers that copy scripts that allow for the infection to take place by exploiting AutoPlay in Windows.
Zusy Trojan – Analysis
The Zusy Trojan is the type of threat which aims to drop it’s payloaad files. The payload fils have random names and are also located in folders with random names. The folders are created in the %AppData% directory:
→ %AppData%\{random}\{random file}.exe – also detected as TSPY_ZBOT.ZUSY
%AppData%\{random}\{random file 2}.{random extension}
%AppData%\{random}\{random file 3}.tmp
Once this is done, the Zusy virus then creates an autostart type of registry entry in the following registry sub-key:
→ HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
The entry is set to run the randomly named .exe file, we mentioned above. Besides these modifications, the Trojan also adds registry entries in the following Windows sub-keys:
→ HKEY_CURRENT_USER\Software\Microsoft\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\
List %Windows%\explorer.exe = “%Windows%\explorer.exe:*:Enabled:Windows Explorer”
→ HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnonBadCertRecving = “0”
→ HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
EnableSPDY3_0 = “0”
The malware then connects to what appears to be the following malcious URLs:
→ hxxp://js.0814ok.info:280/v.sct match: hxxp://wmi.0814ok.info:8888/kill.html;http, hxxp://js.0814ok.info:280/v.sct
From there it may download a CryptoCurrency miner virus, known as the Tiggre miner (W32/Tiggre), which aslo drops malicious files in the %AppData% directory and begins connecting to a remote server in order to begin mining for cryptocurrencies by utilizing your CPU and GPU to almost a 100%, which results in your PC starting to slow down at an alarming rate.
In addition to this, since it’s also a spyware, the Zusy Trojan may also use it’s tracking technologies to steal different type of information from your PC, based on how the virus is configured. The types of data can be the following:
- Log your keystrokes.
- Steal saved passwords.
- Obtain files from your PC.
- Take over your communication logs (Chat history, etc.).
- Take screenshots.
- Control your web camera.
Furthermore, the Zusy virus may also delete its main malicious file after infecting your computer and continue to spread on another PC’s on a network level of replication (via intermediary and end devices, like routers, switches, etc.). This is done for malware researchers to prevent discovering the infection and hence creating a kill switch of it.
Remove Zusy Trojan from Your PC
If you want to remove the Zusy Trojan completely from your computer, your can do several different actions that isolate it’s activity. The first one is to boot your comptuer into safe mode and then hunt for the registry sub-keys and objects of the virus manually. This can be done by following the manual removal instructions underneath this article.
However, if manual removal does not seem to be working for you or you want to be fully sure that the Zusy virus and all the related miner viruses it drops on your PC are gone for good, be advised that the recommended removal method to go for is automatic removal by scanning your PC with a powerful anti-malware program. Such tool is created to best help you out to remove all of the objects, related to Zusy virus on your PC.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me:
Preparation before removing Zusy Trojan.
Before starting the actual removal process, we recommend that you do the following preparation steps.
- Make sure you have these instructions always open and in front of your eyes.
- Do a backup of all of your files, even if they could be damaged. You should back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats.
- Be patient as this could take a while.
- Scan for Malware
- Fix Registries
- Remove Virus Files
Step 1: Scan for Zusy Trojan with SpyHunter Anti-Malware Tool
Step 2: Clean any registries, created by Zusy Trojan on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by Zusy Trojan there. This can happen by following the steps underneath:
Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.Step 3: Find virus files created by Zusy Trojan on your PC.
1.For Windows 8, 8.1 and 10.
For Newer Windows Operating Systems
1: On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
2: Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
3: Navigate to the search box in the top-right of your PC's screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be "fileextension:exe". After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navigation box to fill up in case the PC is looking for the file and hasn't found it yet.
2.For Windows XP, Vista, and 7.
For Older Windows Operating Systems
In older Windows OS's the conventional approach should be the effective one:
1: Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
2: After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
3: After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
Zusy Trojan FAQ
What Does Zusy Trojan Trojan Do?
The Zusy Trojan Trojan is a malicious computer program designed to disrupt, damage, or gain unauthorized access to a computer system.
It can be used to steal sensitive data, gain control over a system, or launch other malicious activities.
What Damage Can Zusy Trojan Trojan Cause?
The Zusy Trojan Trojan is a malicious type of malware that can cause significant damage to computers, networks and data.
It can be used to steal information, take control of systems, and spread other malicious viruses and malware.
Is Zusy Trojan Trojan a Harmful Virus?
Yes, it is. A Trojan is a type of malicious software that is used to gain unauthorized access to a person's device or system. It can damage files, delete data, and even steal confidential information.
Can Trojans Steal Passwords?
Yes, Trojans, like Zusy Trojan, can steal passwords. These malicious programs are designed to gain access to a user's computer, spy on victims and steal sensitive information such as banking details and passwords.
Can Zusy Trojan Trojan Hide Itself?
Yes, it can. A Trojan can use various techniques to mask itself, including rootkits, encryption, and obfuscation, to hide from security scanners and evade detection.
Can a Trojan be Removed by Factory Reset?
Yes, a Trojan can be removed by factory resetting your device. This is because it will restore the device to its original state, eliminating any malicious software that may have been installed.
Can Zusy Trojan Trojan Infect WiFi?
Yes, it is possible for a Trojan to infect WiFi networks. When a user connects to the infected network, the Trojan can spread to other connected devices and can access sensitive information on the network.
Can Trojans Be Deleted?
Yes, Trojans can be deleted. This is typically done by running a powerful anti-virus or anti-malware program that is designed to detect and remove malicious files. In some cases, manual deletion of the Trojan may also be necessary.
Can Trojans Steal Files?
Yes, Trojans can steal files if they are installed on a computer. This is done by allowing the malware author or user to gain access to the computer and then steal the files stored on it.
Which Anti-Malware Can Remove Trojans?
Anti-malware programs such as SpyHunter are capable of scanning for and removing Trojans from your computer. It is important to keep your anti-malware up to date and regularly scan your system for any malicious software.
Can Trojans Infect USB?
Yes, Trojans can infect USB devices. USB Trojans typically spread through malicious files downloaded from the internet or shared via email, allowing the hacker to gain access to a user's confidential data.
About the Zusy Trojan Research
The content we publish on SensorsTechForum.com, this Zusy Trojan how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific trojan problem.
How did we conduct the research on Zusy Trojan?
Please note that our research is based on an independent investigation. We are in contact with independent security researchers, thanks to which we receive daily updates on the latest malware definitions, including the various types of trojans (backdoor, downloader, infostealer, ransom, etc.)
Furthermore, the research behind the Zusy Trojan threat is backed with VirusTotal.
To better understand the threat posed by trojans, please refer to the following articles which provide knowledgeable details.