New ZBot Variant (Sep 10, 2008)


UPS Invoice spam – New ZBot variant

SonicWALL UTM Research Team has discovered a new wave of fake UPS Invoice e-mails spammed this morning.

The email contains a fake message about not being able to deliver the postal package that you sent on September 1st and it asks you to take a print out of attached copy of invoice in order to collect the package from local UPS office.

SonicWALL has received 1100 e-mail copies of this malware so far. This Trojan is similar to and connects to the same website as Fedex Tracking number spam we alerted on last week.

The e-mails look like following:

Attachment: (contains file ups_invoice.exe)



The e-mail attachment is a zip archive containing an executable file which is a new ZBot variant. Upon execution, it tries to connect to domain which is located at Bendery, Moldova and was registered recently on September 6, 2008. The malware sends following GET request to the domain:

  • GET /loads/engine2.bin HTTP/1.0

It drops the following files:

  • C:WINDOWSsystem32oembios.exe
  • C:WINDOWSsystem32sysproc64sysproc32.sys
  • C:WINDOWSsystem32sysproc64sysproc86.sys
  • C:Documents and SettingsLocalServiceApplication Datasysproc64sysproc32.sys

It also makes following modifications to the Windows registry:

  • HKLM…WinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32oembios.exe,”

SonicWALL Gateway Antivirus detects this new ZBot variant as GAV: ZBot.UPS (Trojan) [66,384 hits recorded]


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.