Fake Outlook update – New ZBot (June 23, 2009)
SonicWALL UTM Research team observed a fake Critical Update for Microsoft Outlook spam. The email has a link to a spoofed Microsoft security website which serves a new ZBot Trojan variant.
ZBot is a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. Read more about Zeus/Zbot Trojan Family here: https://www.mysonicwall.com/SonicAlert/index.asp?ev=article&id=132
This malware is 83,456 bytes in size.
When executed it creates the following files on the system:
- %System%lowseclocal.ds
- %System%lowsecuser.ds
- %System%lowsecuser.ds.lll
- %System%sdra64.exe
It modifies registry:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Userinit = "%System%userinit.exe,%System%sdra64.exe,"
so that sdra64.exe runs every time Windows starts
It creates registry entries:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork] UID = "%ComputerName%_0004DCC0" and [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings] ProxyEnable = 0x00000000
The e-mail looks like:
The Trojan is also known as trojan Trojan-Spy.Win32.Zbot.xdj [Kaspersky], Mal/Zbot-O [Sophos] and Trojan.Spy.LooksLike.ZBot [McAfee]
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.XDJ (Trojan) signature.
