The behavior was exactly the same as the other confirmed ZeuS infections I'd been tracking. However there are some additional elements now that suggest is might be something else
The machine was reaching out at 20 minute intervals to the drop site and had been doing so for 3 days.
Analysis of the logs on the machine showed the AV software recognized it as a trojan and attempted to clean it, but could not clean or delete, it just gave up, so the trojan may be interferring with the AV.
The trojan was parked in the c:\Windows\ directory, not System32
Infection identified as a JS/Exploit-Iframe (Trojan) parked on a legitimate website.
It also attempted to do a mass mailing of itself off port 25 but was blocked by our rules.
So to answer your question, it probably was not ZeuS, I am dealing with a lot of it right now and this one fit the pattern
Topic: Correction to apparent Gozi (Not ZeuS) dropzone at 91.207.61.44 (Read 5456 times)