Return of Zbot Spam (Dec 3, 2010)
SonicWALL UTM Research team received reports of a new variant of a Zbot worm spreading in the wild. This new variant is being spread through emails with links to the malicious file.
Below is the content of the e-mail:
Subject:
- Your package has arrived!
Email Body:
- Dear client
Your package has arrived.
The tracking # is: 1Z45AR990283682749 and can be used at:
[http://www.ups.com/tracking/tracking.html]
The shipping invoice can be downloaded from :
[http://www.ups.com/tracking/invoices/download.aspx?invoice_id=3483273]
Thanks you,
United Parcel Service
*** This is an automatically generated email, please do not reply *** ===================================================
The e-mail message looks like below:
===================================================
The tracking number and the first link point to legitimate UPS website and resolve to a package for someone else. Although the package is for someone else, it tempts the user to click on the second link which leads to downloading of the Zbot executable.
Malicious link may lead to the following:
- hxxp://th{REMOVED}.net/e107_files/cache/invoice.scr
- hxxp://e1{REMOVED}dk/e107_files/cache/invoice.scr
- hxxp://ed{REMOVED}om/e107_files/cache/invoice.scr
- hxxp://www.su{REMOVED}at/e107_files/cache/invoice.scr
- hxxp://www.s{REMOVED}nl/weblog/pm/images/invoice.scr
Once the user runs the downloaded file, it will perform the following activities:
File Operation:
Added Files
- Documents and Settings{user}Application DataEszauxohxi.aqd – (5 KB)
- Documents and Settings{user}Application DataUgarckesy.exe – (159 KB) [ Detected as GAV: Kryptik.IOL (Trojan) ]
*Note that the folders created can be different from other system.
Registry Operation:
Added Entries
- HKEY_CURRENT_USERSoftwareMicrosoftIduwy Lowoo
- KEY: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Value: {1BF5BAE0-A94B-EB99-7464-692B693EE661}
Data:“Documents and Settings{user}Application DataUgarckesy.exe” - KEY: HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPrivacy
Value: CleanCookies
Dword: 000000
Allows program to run without user notification:
Network Activity:
The following HTTP request was observed from this Worm:
- www.mortga{REMOVED}nton.com
The Worm is also known as Win32/Spy.Zbot.YW [Eset], DR/Spy.ZBot.avew [Antivir] and Mal/Zbot-AV [Sophos]
SonicWALL Gateway AntiVirus provides protection against this Worm via GAV: Kryptik.IOL (Trojan) signature