ZBot IRS spam targeting Tax period (Mar 26, 2010)


SonicWALL UTM Research team observed a new wave of the previously seen Fake IRS notice spam campaign starting yesterday – March 25, 2010, which takes advantage of the Tax period to target users. US-CERT issued an alert related to it today morning.

The email pretends to arrive from an irs.gov e-mail address and contains a URL to the fake notice. If the user clicks on this URL, it leads to a fake IRS page which prompts the user to download the new ZBot Trojan variant.

The e-mail looks like:

Subject: Notice of Underreported Income

Email Body:
Taxpayer ID: [email handle-(14 digit random number)US] Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: [email handle-(14 digit random number)US] (<-- Malicious URL)

Internal Revenue Service

The e-mail message looks like below:


The site that opens up when user clicks on the URL inside the e-mail is shown below:


As seen in the screenshot the malicious site prompts the user to download and execute the IRS notice which in reality is the malware executable file as seen here:


The new ZBot variant performs following activities upon execution:

  • It creates MUTEX objects _AVIRA_2108, _AVIRA_2109 to mark its presence on the system.
  • It attempts to download an encrypted configuration file via following GET request:
    GET /cnf/shopinf.jpg HTTP/1.1

    Host: shopinfmaster.com
  • Creates following files:
    • (Windows_System)lowseclocal.ds
    • (Windows_System)lowsecuser.ds
    • (Windows_System)lowsecuser.ds.lll
    • (Windows_System)sdra64.exe
    • (Copy of itself)

  • Ensures that it runs every time Windows restart by modifying following registry entry:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(Windows_System)userinit.exe,(Windows_System)sdra64.exe,”

The Trojan is also known as PWS:Win32/Zbot.gen!R [Microsoft] and Packed.Win32.Krap.ae [Kaspersky].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.YP_7 (Trojan) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.