Fake IRS Notice – New ZBot variant (Oct 09, 2009)
SonicWALL UTM Research team observed a new wave of the Fake IRS notice campaign during the last three days.
The email pretends to arrive from an irs.gov e-mail address and contains a URL to IRS notice for unreported income. If the user clicks on this URL, it leads to the download of new ZBot Trojan variant.
The e-mail looks like:
Subject: Notice of Underreported Income
Email Body:
————————
Taxpayer ID: [email handle-(14 digit random number)US] Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):
review tax statement for taxpayer id: [email handle-(14 digit random number)US] (<-- Malicious URL)
Internal Revenue Service
————————
The e-mail message looks like below:
The site that opens up when user clicks on the URL inside the e-mail is shown below:
As seen in the screenshot the malicious site prompts the user to download and execute the IRS notice which in reality is the malware executable file as seen here:
The new ZBot variant performs following activities upon execution:
- Creates following files:
- (Windows_System)lowseclocal.ds
- (Windows_System)lowsecuser.ds
- (Windows_System)lowsecuser.ds.lll
- (Windows_System)sdra64.exe
(Copy of itself)
- Ensures that it runs every time Windows restart by modifying following registry entry:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(Windows_System)userinit.exe,(Windows_System)sdra64.exe,”
- It tries to connect to a predetermined IP address on HTTP port and sends following GET requests:
- http://195.93.208(REMOVED)livs/rec.php
- http://195.93.208(REMOVED)lcc/ip1.gif
- http://195.93.208(REMOVED)ip.php
The Trojan is also known as trojan Trojan-Spy.Win32.Zbot [IKarus] and Trojan-Spy.Win32.Zbot.gen [Kaspersky].
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GEN_84 (Trojan) and GAV: Zbot.GEN_85 (Trojan) signatures.
