Fake Invoice – ZBot Downloader (July 16, 2009)


SonicWALL UTM Research team saw a new spam campaign pretending to contain a Debt Invoice, starting July 16, 2009. The spammed e-mail message is in Spanish and contains a fake invoice attachment which is the new ZBot Downloader Trojan.

English Translation of the e-mail:

Attachment: Factura66.zip (contains Factura66.doc [multiple spaces] .exe)

Subject: Outstanding debt

Email Body:
Please note that an invoice is outstanding.

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:


The original e-mail message looks like:


The Downloader Trojan when executed performs following activity:

  • Drops a copy of itself as (User Local Settings)Tempsvchost.exe
  • Modifies the Registry entry – HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe (User Local Setting)Tempsvchost.exe”
  • Executes the dropped file svchost.exe and transfers control to it
  • Checks for Internet connectivity by sending a specific GET request to macromedia.com (with User-Agent: chek)
  • Downloads a new ZBot variant from the URL:
    • www.blondiespizzasunriver.com/images/logot.jpg [Detected as GAV: Zbot.JF_10 (Trojan)]
  • Executes the new ZBot variant

The new ZBot variant performs following activity:

  • Creates multiple files:
    • (SYSTEM32)lowseclocal.ds
    • (SYSTEM32)lowsecuser.ds
    • (SYSTEM32)lowsecuser.ds.lll
    • (SYSTEM32)sdra64.exe
  • Modifies the Registry entry – HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(SYSTEM32)userinit.exe,(SYSTEM32)sdra64.exe,”
  • Attempts to download an encrypted configuration file from the URL:
    • www.monozoro.net/images/swf5.bin
  • Further attempts to download a new update of ZBot binary from the URL:
    • www.stuffedchocolate.com/logo.exe [Detected as GAV: Zbot.JF_10 (Trojan)]

The Downloader Trojan is also known as Win32/TrojanDownloader.Delf.OVB trojan [ESET], Trojan-Spy:W32/Zbot.OWF [F-Secure], and Trojan.Win32.Regrun [IKARUS].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Regrun.DGJ (Trojan), GAV: Zbot.JF_10 (Trojan) and GAV: Zbot.TE (Trojan) signatures.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.