SonicWALL UTM Research team observed a new wave of the previously seen Fake IRS notice spam campaign starting yesterday - March 25, 2010, which takes advantage of the Tax period to target users. US-CERT issued an alert related to it today morning.
The email pretends to arrive from an irs.gov e-mail address and contains a URL to the fake notice. If the user clicks on this URL, it leads to a fake IRS page which prompts the user to download the new ZBot Trojan variant.
The e-mail looks like:
Subject: Notice of Underreported Income
Email Body:
------------------------
Taxpayer ID:
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):
review tax statement for taxpayer id: (<-- Malicious URL)
Internal Revenue Service
------------------------
The e-mail message looks like below:
The site that opens up when user clicks on the URL inside the e-mail is shown below:
As seen in the screenshot the malicious site prompts the user to download and execute the IRS notice which in reality is the malware executable file as seen here:
The new ZBot variant performs following activities upon execution:
(Copy of itself)
The Trojan is also known as PWS:Win32/Zbot.gen!R and Packed.Win32.Krap.ae .
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.YP_7 (Trojan) signature.
Share This Article
An Article By
An Article By
Security News
Security News