Return of Zbot Spam (Dec 3, 2010)


SonicWALL UTM Research team received reports of a new variant of a Zbot worm spreading in the wild. This new variant is being spread through emails with links to the malicious file.

Below is the content of the e-mail:


  • Your package has arrived!

Email Body:

    Dear client

    Your package has arrived.
    The tracking # is: 1Z45AR990283682749 and can be used at:


    The shipping invoice can be downloaded from :


    Thanks you,
    United Parcel Service

    *** This is an automatically generated email, please do not reply *** ===================================================

The e-mail message looks like below:


The tracking number and the first link point to legitimate UPS website and resolve to a package for someone else. Although the package is for someone else, it tempts the user to click on the second link which leads to downloading of the Zbot executable.

Malicious link may lead to the following:

  • hxxp://th{REMOVED}.net/e107_files/cache/invoice.scr
  • hxxp://e1{REMOVED}dk/e107_files/cache/invoice.scr
  • hxxp://ed{REMOVED}om/e107_files/cache/invoice.scr
  • hxxp://{REMOVED}at/e107_files/cache/invoice.scr
  • hxxp://www.s{REMOVED}nl/weblog/pm/images/invoice.scr

Once the user runs the downloaded file, it will perform the following activities:

File Operation:

Added Files

  • Documents and Settings{user}Application DataEszauxohxi.aqd – (5 KB)
  • Documents and Settings{user}Application DataUgarckesy.exe – (159 KB) [ Detected as GAV: Kryptik.IOL (Trojan) ]
  • *Note that the folders created can be different from other system.

Registry Operation:

Added Entries

  • HKEY_CURRENT_USERSoftwareMicrosoftIduwy Lowoo
  • Allows program to run without user notification:

  • KEY: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: {1BF5BAE0-A94B-EB99-7464-692B693EE661}
    Data:“Documents and Settings{user}Application DataUgarckesy.exe”
  • KEY: HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPrivacy
    Value: CleanCookies
    Dword: 000000

Network Activity:

The following HTTP request was observed from this Worm:

  • www.mortga{REMOVED}

The Worm is also known as Win32/Spy.Zbot.YW [Eset], DR/Spy.ZBot.avew [Antivir] and Mal/Zbot-AV [Sophos]

SonicWALL Gateway AntiVirus provides protection against this Worm via GAV: Kryptik.IOL (Trojan) signature

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.