Pandemiya is a new Zeus Trojan

Pandemiya is a new commercial Trojan that is an alternative to a more well-known Zeus Trojan. Pandemiya was developed in order to collect sensitive data by stealing confidential files and login details off of the infected system and injecting your browsers with fake webpages such as lotteries, surveys, etc. to gather even more information about the computer user. Pandemiya can also take snapshots of the infected PC screen. It is not that easy to spot the Trojan in your system.



Pandemiya encrypts communication with Control Panel and thus avoids being detected by network analyzers. The infection uses a different source code which is not based on Zeus and consists of more than 25,000 original code lines in C. Other features of Pandemiya include: the ability to affect all major web browsers (Internet Explorer, Mozilla Firefox and Google Chrome), FTP stealer, loader, the ability to load every time Windows starts, reverse proxy, Facebook spreader and more.

The way you can get infected by Pandemiya is simple: if you land on a corrupted webpage your PC will get infected automatically. The Trojan will install .exe file that will go to All Users/Application Data folder and use a random name in order to hide itself. It will then use new value in the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run which will ensure that the Trojan runs every time you turn on your computer. Pandemiya will also add a dynamic link library file using a random name in C:\\Windows\System32 folder and add a registry value that will be linked to the DLL inside the registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls. After it finishes the last step Pandemiya will be able to inject itself in all new processes.

Needless to say, if you get infected by Pandemiya you should remove it immediately. First of all, you need to find the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run and the .exe file-name in All Users/Application Data folder. Note the name and eliminate the registry value. Afterwards, you need to locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls and find the value with the same name as .exe file that you noted. Note the name of the file and delete the value from the registry. Restart your computer. If you have completed the above steps correctly,  Pandemiya is no longer running on your PC, however, it is still in the system. In order to eliminate last components of the infection you need to delete both files you noted. After you do that, your PC will return back to normal.

Pandemiya is not a wide spread Trojan yet. Cyber criminals that developed the infection are selling it at a high price of 2000$, which may be one of the reasons why the Trojan is not so popular. That, unfortunately, does not mean it will not change in the near future.

Pandemiya Features

Core Features:

  • Injects for the 3 leading internet browsers
  • Grabbers for the 3 leading internet browsers
  • Tasks
  • File Grabber
  • Loader (unique tasks & statistics)
  • Signing of the botnet files to protect them from being hijacked by other fraudsters, and from being analyzed by security analysts or law enforcement.
  • Encrypted communication with the panel (dynamic content + URI – never the same request / data – a kind of bulletproofing against network analyzers)

Additional Features (via plugins):

  • Reverse Proxy
  • FTP Stealer (with combination of an internal iFramer)
  • PE infector (for startup)

Experimental Plugins (soon to be released/ integrated):

  • Reverse hidden RDP
  • Facebook spreader

Leave a Reply