HKCert
Security Blog

How to detect and remove Citadel Malware

Release Date: 07 / 06 / 2013
Last Update: 07 / 06 / 2013

If you are worry about your computer was infected Citadel Malware, you can download a Microsoft Safety Scanner from Microsoft at http://www.microsoft.com/security/scanner/en-us/default.aspx and run a full system scan.

 

  1. Click "Download Now" to download Microsoft Safety Scanner.

     
  2. Double click to run msert.exe and select Accept all terms of the preceding license agreement check box, then click “Next”

     
  3. Select “Full scan” and click “Next” to start scanning



  4. Scanning in progress


  5. Scanning was completed and no viruses, spyware, and other potentially unwanted software were detected.


  6. If your computer was infected by Citadel Malware, it will be detected and removed by the scanner.

HKCERT received and analyzed some samples of Citadel Malware, the preliminary result show that most of the anti-malware softwares are able to detect Citadel malware. You can refer to the link below:

 

Sample 1: https://www.virustotal.com/en/file/a048b003abf85c250aeb9f36ccac7a1984c0b7f41fc5a5698080d3729488b28d/analysis/1370587377/

 

Sample 2: https://www.virustotal.com/en/file/275de260b2e54a780d092d49738ac40964ea137242495d5bbb41e106ddbb2115/analysis/1370587532/

 

Sample 3: https://www.virustotal.com/en/file/5a613332668a3f715db5a0e17c50aca80377b20d318d519db5bc81092e67f713/analysis/1370587539/

 

Sample 4: https://www.virustotal.com/en/file/26a3866e497d60d572807ead5eb03721bbd3dedb6942e19bbeb123f42a2b3dfc/analysis/1370587588/

 

Sample 5: https://www.virustotal.com/en/file/b8716df47753d35f405dfada16d7aa1ff23f825133ac4d709ade7b8bcf97d6ef/analysis/1370587606/

 

Sample 6: https://www.virustotal.com/en/file/ae722494dbc0e8a9abee3799662415cffd82a5d14b69d5dcd4097cd14521799a/analysis/1370587763/

 

Sample 7: https://www.virustotal.com/en/file/97aafc6e53eaedc1ecf07c996b181fbfeec4bca88007114a961d148e6abb414f/analysis/1370589381/

 

Different security vendor may have different naming standard. You may refer to the table below for the aliases of Citadel malware.

 

 Security Vendor

 

 Aliases of Citadel Malware

 

 Avast

 Win32:Spyeye-AGL [Trj]

 Win32:Cutwail-BM [Trj]

 Win32:Injector-AXW [Trj]

 Win32:Zbot-QEP [Trj]

 Win32:Malware-gen

 Win32:Crypt-OZC [Trj]

 

 AVG

 Generic30.TDR

 Dropper.Generic7.AAZV

 SHeur4.AWRI

 Dropper.Generic7.COPV

 BackDoor.Generic16.VZX

 SHeur4.AXDN

 Dropper.Generic7.COPV

 

 Avira (AntiVir)

 TR/Dropper.Gen8

 TR/Spy.ZBot.ajoumea

 TR/Crypt.XPACK.Gen7

 TR/PSW.Zbot.1039

 

 ESET NOD32

 a variant of Win32/Injector.XNG

 a variant of Win32/Injector.AALK

 a variant of Win32/Injector.AAHY

 a variant of Win32/Injector.AAHE

 a variant of Win32/Kryptik.ASFX

 a variant of Win32/Injector.AEDR

 

 F-secure

 Gen:Variant.Symmi.11463

 Trojan.Encpk.Gen.1

 Trojan.Generic.KD.813474

 Trojan.Generic.KD.811923

 Gen:Variant.Symmi.10415

 Trojan.Generic.KDV.906991

 

 Kaspersky

 Trojan-FakeAV.Win32.Windef.rzx

 Trojan-Spy.Win32.Zbot.hpdg

 Trojan-Spy.Win32.Zbot.hczs

 Trojan-Spy.Win32.Zbot.haus

 Trojan-Spy.Win32.Zbot.hnkf

 Trojan-Spy.Win32.Zbot.jwcj

 

 McAfee

 Generic PWS.y!1tc

 PWS-Zbot.gen.anm

 Generic PWS.y!1s3

 Artemis!ADCE83CD65A0

 RDN/Generic.bfr!ce

 

 Microsoft

 Trojan:Win32/EyeStye.N

 VirTool:Win32/Injector.gen!DJ

 VirTool:Win32/CeeInject

 PWS:Win32/Zbot.gen!AJ

 PWS:Win32/Zbot

 

 Sophos

 Mal/Generic-S

 Mal/ZboCheMan-L

 Mal/EncPk-AFN

 Mal/EncPk-AIN

 

 Symantec

 Trojan.Gen

 Infostealer

 Packed.Generic.415

 WS.Reputation.1

 Trojan.Gen.2

 

 TrendMicro

 TROJ_GEN.R47CDKR

 TROJ_GEN.R2ECFA4

 TROJ_GEN.FC2CKLK

 TROJ_GEN.RCBCFA2

 TROJ_GEN.RCBCDA9

 TROJ_SPNR.0BCO13