Remove Zusy Trojan (Removal Instructions)

Remove Zusy Trojan (Removal Instructions)

This article has been created to help explain what is the Zusy Trojan and how to remove it from your computer effectively.

A new Trojan horse has been detected to spread at an alarming rate that surpasses even the WannaCry infection. The malware, called Zusy has been detected to replicate via a worm and then drop what appears to be a cryptocurrency miner, known as Tiggre (other name is Digmein), which aims to overload the CPU and GPU of the affected computers in order to obtain tokens at their expense and credit them to the cyber-crooks behind this outbreak. In case your computer has been infected by the Zeus Trojan, we recommend that you read this article as it will help you remove this malware and restore your PC’s performance to normal.

Threat Summary

NameZusy Trojan
TypeTrojan Horse / Worm
Short DescriptionAn advanced worm, spreading the Zusy Trojan which downloads different malware on infected computers.
SymptomsAll of your data on your computer may be compromised and your PC may experience slow-downs and have it’s CPU and GPU running on their limits.
Distribution MethodReplicates automatically from infected machines to infected machines. Able to migrate to different networks.
Detection Tool See If Your System Has Been Affected by Zusy Trojan


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Zusy Trojan.

Zusy Virus – Distribution

In order to be widespread on a serious level, the Zusy Virus uses a worm infection, which has been reported at VirusTotal and uploaded on Twitter by researcher Vess (@VessOnSecurity ).

Source: VirusTotal

The Zusy malware may use advanced exploits since researchers have reported it in VT as being highly evasive. One report by PayloadSecurity indicateds the following replication URLs in relation to the Zusy virus:



memurl:”Heuristic match:,Pattern match: hxxp:// match: hxxp://;http,Pattern match: hxxp://”

In addition to this, the malware may also have the capability of hijacking flash drives and other external memory carriers that copy scripts that allow for the infection to take place by exploiting AutoPlay in Windows.

Zusy Trojan – Analysis

The Zusy Trojan is the type of threat which aims to drop it’s payloaad files. The payload fils have random names and are also located in folders with random names. The folders are created in the %AppData% directory:

→ %AppData%\{random}\{random file}.exe – also detected as TSPY_ZBOT.ZUSY
%AppData%\{random}\{random file 2}.{random extension}
%AppData%\{random}\{random file 3}.tmp

Once this is done, the Zusy virus then creates an autostart type of registry entry in the following registry sub-key:

→ HKEY_CURRENT_USER\Software\Microsoft\

The entry is set to run the randomly named .exe file, we mentioned above. Besides these modifications, the Trojan also adds registry entries in the following Windows sub-keys:

→ HKEY_CURRENT_USER\Software\Microsoft\
Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\
List %Windows%\explorer.exe = “%Windows%\explorer.exe:*:Enabled:Windows Explorer”

→ HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnonBadCertRecving = “0”

→ HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
EnableSPDY3_0 = “0”

The malware then connects to what appears to be the following malcious URLs:

→ hxxp:// match: hxxp://;http, hxxp://

From there it may download a CryptoCurrency miner virus, known as the Tiggre miner (W32/Tiggre), which aslo drops malicious files in the %AppData% directory and begins connecting to a remote server in order to begin mining for cryptocurrencies by utilizing your CPU and GPU to almost a 100%, which results in your PC starting to slow down at an alarming rate.

In addition to this, since it’s also a spyware, the Zusy Trojan may also use it’s tracking technologies to steal different type of information from your PC, based on how the virus is configured. The types of data can be the following:

  • Log your keystrokes.
  • Steal saved passwords.
  • Obtain files from your PC.
  • Take over your communication logs (Chat history, etc.).
  • Take screenshots.
  • Control your web camera.

Furthermore, the Zusy virus may also delete its main malicious file after infecting your computer and continue to spread on another PC’s on a network level of replication (via intermediary and end devices, like routers, switches, etc.). This is done for malware researchers to prevent discovering the infection and hence creating a kill switch of it.

Remove Zusy Trojan from Your PC

If you want to remove the Zusy Trojan completely from your computer, your can do several different actions that isolate it’s activity. The first one is to boot your comptuer into safe mode and then hunt for the registry sub-keys and objects of the virus manually. This can be done by following the manual removal instructions underneath this article.

However, if manual removal does not seem to be working for you or you want to be fully sure that the Zusy virus and all the related miner viruses it drops on your PC are gone for good, be advised that the recommended removal method to go for is automatic removal by scanning your PC with a powerful anti-malware program. Such tool is created to best help you out to remove all of the objects, related to Zusy virus on your PC.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share