New ZBot Trojan variant (Oct 28, 2008)
SonicWALL UTM Research team observed a new ZBot variant being spammed in the wild using Angelina Jolie video spam campaign starting on Saturday, October 25, 2008 which involves a fake e-mail message pretending to contain Angelina Jolie video. The email has a zip archived attachment which contains the new ZBot variant.
SonicWALL has received more than 10,000 e-mail copies of this malware so far. The e-mail looks like following:
Attachment: anjelina_video.zip (contains anjelina_video.exe)
Subject: New Anje1lna Jo1ie p0rn
Email Body:
————————
Anje1lna Jo1ie p0rn video, file attached, watch him
————————
Starting October 27, 2008 the spam campaign changed to “new eCard” spam which involves a fake e-mail message pretending to contain an ecard. The email has a zip archived attachment which contains the new ZBot variant.
SonicWALL has received more than 5,000 e-mail copies of this malware so far. The e-mail looks like following:
Attachment: ecard.zip (contains ecard.exe)
Subject: You have received an eCard
Email Body:
————————
Good day.
You have received an eCard
To pick up your eCard open attached file
We hope you enjoy you eCard.
Thank You!
————————
The Trojan when executed drops following malicious files in the windows system folder:
- twain_32local.ds
- twain_32user.ds
- twext.exe
It modifies the following registry keys to ensure that twext.exe executes on system startup:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit = “(System Folder Path)userinit.exe,(System Folder Path)twext.exe,”
It also tries to connect to opokimoki.com domain and sends following HTTP request:
- GET /los/cfn.bf
The Trojan is also known as Trojan-Spy.Win32.Zbot.fql [Kaspersky], Troj/Agent-IAZ [Sophos], and TrojanSpy:Win32/Zbot.gen!C [Microsoft]
SonicWALL Gateway AntiVirus provided proactive protection against this new Zbot variant via GAV: Zbot.FME (Trojan) signature [809,401 hits recorded starting Oct 25, 2008].
