GameOver Zeus is used for stealing financial data and spreading CryptoLocker ransomware

GameOver Zeus is a Trojan that is based on Zeus trojan that has first emerged in 2006. Then the name of this variant was given because of one of its filenames – gameover2.php. Malware is used to get remote access to the computer and steal private information, such as banking logins, passwords, and other financial data.
The Trojan is known for almost a decade and has alternative names – GameOver Trojan, GOZ,[1] and P2PZeuS. However, authorities also know who is standing behind this cyber threat – the Russian[2] hacker Evgeniy Mikhailovich Bogachev known as Slavik.
However, the success of malware is based not only on Slavik’s work. He created a group of 50 cyber criminals that are called “Business Club.”
In October 2013 GameOver Zeus has been started actively spreading and infecting systems with ransomware virus that is known as Cryptolocker. As soon as it is installed, it encrypts all important files that are stored on a computer and then demands payment for decrypting them.
The GameOver Zeus Trojan itself spreads via Cutwail botnet[3] and uses encrypted peer-to-peer communication with Command and Control server. During its lifetime, it has been mostly used for stealing money from banks and banking data.
Therefore, getting infected with malware might end up with financial and personal information loss. If you suspected that your PC might be infected with Trojan, you should scan your device with FortectIntego and remove GameOver Zeus from the PC.
However, you may need to take extra steps for GameOver Zeus removal if it brought ransomware to your PC. The detailed explanation about its elimination you can find at the end of this article.

Attempts to take down the dangerous Trojan
Security researchers are trying to take down the GameOver Zeus virus since 2011.[4] FBI, the U.S. and European security investigators and authorities launched several attacks against hacker’s networks. However, all the attempts failed.
In January 2013, researchers were close to taking down the malware. However, months of their work were not enough because they overlooked a critical component. As a result, the hacker updated its malicious network and took back control over its program.
In 2015, FBI put a $3 million bounty on Slavik’s head.[5] It’s the highest reward that has been offered for the cyber criminal in the United States. However, in 2017 he is still enjoying his life outside the jail.[6]
Distribution methods of the GameOver Trojan
GameOver Zeus virus has been actively spread using phishing and spam campaigns. In most of the cases, dangerous emails look like important messages from well-known organizations, such as FDIC, IRS, MySpace, Facebook, Microsoft, Federal Reserve Bank, the Federal Deposit Insurance Corporation (FDIC), the National Automated Clearing House Association (NACHA), etc.
Typically they include a link that redirects to the malicious website. When users get there, the Trojan is installed on the system.
Therefore, in order to avoid infiltration of a dangerous banking trojan, you should always inspect the email carefully:
- check the information about the sender;
- make sure that the email does not lack credentials;
- look up for grammar and spelling mistakes.
If you still cannot decide should you trust the email or not, you can always call the organization or log in to the account directly by opening a new browser’s tab. Then you can be sure if criminals tried to attack you or not.
Instructions for GameOver Zeus removal
To remove GameOver Zeus from the PC, you have to obtain reputable security software, such as FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. After the installation, update your preferred tool and run a full system scan. The program should eliminate malware automatically.
After GameOver Zeus removal, we highly recommend changing all of your passwords in order to protect your money and sensitive information from the attackers.
If this Trojan has already infected your PC with Cryptolocker, try to follow these steps:
- Reboot you infected PC to “Safe mode with command prompt” by following instructions below to disable virus (this should be working with all versions of this threat)
- Run Regedit
- Search for WinLogon Entries and write down all the files that are not explorer.exe or blank. Replace them with explorer.exe.
- Search the registry for these files you have written down and delete the registry keys referencing the files.
- Reboot and run a full system scan with updated security software.
Was this guide helpful?
Be the first to comment