Clicky

 

What is Zeus Panda? And how does it function?

Zeus Panda, also known as Panda Banker virus, is a new version of the infamous Zeus Trojan. It is a banking Trojan which uses Zeus Trojan’s malicious modules to monitor the infected computer and steal financial and banking information. During its infiltration, it remains unnoticed while at the same time logs keystrokes and takes screenshots of your computer.
When a computer is already infected by the Zeus Panda Trojan, the Trojan will immediately begin to connect to multiple third party hosts and server to send information about the infected computer and support active connection while remaining to be undetected. According to security experts, Zeus Panda is associated with the following domains:

  • 8.88.39
  • 8.195.82

Moreover, Zeus Panda also uses Google Docs domains to obtain malicious files it has uploaded there. In relation to these connections, this banking Trojan has all the malicious modules that the Zeus Trojan has. These malicious modules are mostly .DLL files which are disguised as legitimate Windows processes. And based on the latest reports, these malicious files include embedded functions that perform several malicious tasks on the infected computer.
According to security experts, these are the malicious functions that the Zeus Panda uses:

  • GetModuleHandleA– this malicious function modifies the code in the operating system to inject obfuscated malicious codes.
  • GetModuleFileName– this malicious function rolls back the name of the support modules that are active as system processes.
  • OpenMutexA– this malicious function is for unique identification so that there is no second infection of ZeuS on an already infected computer.
  • GetUserNameAand GetAuditedPermissionsFromAclW – these malicious functions provide an easier way for hackers to manage many infections, by assigning the infected computer with it’s username in his command and control interface.
  • CreateServiceAand CreateProcessAsUserW – these malicious functions are used to insert the malicious files of the virus as fake processes.
  • GetDesktopWindowand GetKeyboarState – these malicious functions are believed to be used for screenshot capturing and logging your keystrokes.

There are no symptoms of getting infected with the Zeus Panda Trojan, the only way to identify it is to check the Windows Task Manager for suspicious processes that are not run by the system and since this baking Trojan disguises its malicious functions as legitimate processes, you have to take note of the malicious functions used by Zeus Panda listed above so that you’d know.
How does Zeus Panda circulate online?
Zeus Panda spreads using malicious spam emails. The perpetrator behind this banking Trojan attaches a ZIP file in an email and sends it to its targeted victims. The spam email campaign is planned out using different spam accounts. According to a concrete sample detected by Malware-Traffic-Analysis, the email message consists of accusing the victims of receiving a parking fine. Here’s the complete message in the email containing the Zeus Panda Trojan:
“The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.
You received a parking fine!
26-818 – Parking of motor car or otherwise obstructing fire lanes shall be forbidden at all times
Required to appear in law court
Parking fine number information: TPD64735261
Check your parking ticket {Contains link to Google Docs where the malware is}
To pay your parking fine, download your ticket and choose one of 2 convenient ways:

  1. Online

Pay online by Visa or Mastercard, $2 processing fee.

  1. By phone (automated system)

Pay by Visa or Mastercard at (866)562-5972
Sincerely,
Traffic Police”
Follow the removal instructions below to terminate Zeus Panda from your PC.
Step 1: Restart your PC to Safe Mode with Networking.

Step 2: Enable the disabled Windows features.

  1. Press Win + R keys to launch Run.
  2. Type in msc in the box and press Enter to open Group Policy.
  3. Under Group Policy, navigate to:
    1. User Configuration\Administrative Templates\System
  4. After that, open Prevent access to the command prompt.
  5. Select Disable to enable cmd
  6. Click the OK button
  7. After that, go to:
    1. Configuration\Administrative Templates\System
  8. Double click on the Prevent Access to registry editing tools.
  9. Choose Disabled and click OK.
  10. Navigate to :
    1. User Configuration\Administrative Templates\System>Ctrl+Alt+Del Options
  11. Double click on Remove Task Manager.
  12. And then set its value to Disabled.

Step 3: Tap Ctrl + Shift + Esc keys to open the Task Manager.
Step 4: Look for the following processes disguising  as Windows processes created by Zeus Panda and end all of them.

  • GetModuleHandleA
  • GetModuleFileName
  • OpenMutexA protect.exe
  • GetUserNameA
  • GetAuditedPermissionsFromAclW
  • CreateServiceA
  • CreateProcessAsUserW
  • GetDesktopWindow
  • GetKeyboarState


Step 5: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.

Step 6: Look for Zeus Panda or any suspicious program and then Uninstall it/them.

Step 7: Tap the Win + E keys simultaneously to open File Explorer.
Step 8: Navigate to the following locations below.

  • %TEMP%
  • %ROAMING%
  • %APPDATA%
  • %USERPROFILE%\Downloads
  • %USERPROFILE%\Desktop

Step 9: Look for the ZIP file that contains a document named Traffic_Police_Department – Parking_Ticket_Information.doc and delete it.
Step 10: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 11: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 12: Navigate to the following path:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKCU\SOFTWARE
  • HKCU\SOFTWARE\WOW6432Node

Step 13: Delete the registry keys and sub-keys created by Zeus Panda banking Trojan.
Step 14: Close the Registry Editor and empty your Recycle Bin.
To completely eliminate Zeus Panda and its malicious processes and files from your computer, follow the advanced guidelines below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

  1. Turn on your computer. If it’s already on, you have to reboot
  2. After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

  1. To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
  2. Windows will now load the SafeMode with Networking.
  3. Press and hold both R key and Windows key.

  1. If done correctly, the Windows Run Boxwill show up.
  2. Type in explorer http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between explorer and http. Click OK.

  1. A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.

  1. Click OK to launch it.
  2. Run SpyRemover Pro and perform a full system scan.

  1. After all the infections are identified, click REMOVE ALL.

  1. Register the program to protect your computer from future threats.

 

logo main menu

Copyright © 2024, FixMyPcFree. All Rights Reserved Trademarks: Microsoft Windows logos are registered trademarks of Microsoft. Disclaimer: FixMyPcFree.com is not affiliated with Microsoft, nor claim direct affiliation. The information on this page is provided for information purposes only.

DMCA.com Protection Status

Log in with your credentials

Forgot your details?