Balance checker Trojan - New Zbot variant

November 17, 2009

SonicWALL UTM Research team observed a new Zbot Trojan variant being spammed targeting Verizon wireless customers. The e-mail messages pretend to arrive from Verizon Wireless and inform the users that their account is over the limit. They also ask the user to download the attachment which pretends to be a balance checker program to review payments.

The email messages look like this:


The spam campaign started during the morning of November 13th, 2009 and lasted until early hours of November 16th, 2009. SonicWALL UTM Research team saw e-mails being spammed at a rate of 200,000 emails per hour steady throughout the weekend.

The fake balance checker application included in the e-mail is the new Zbot Trojan variant. This Zbot variant was re-packaged six times over the weekend in order to evade antivirus detection. Previous Zbot spam campaigns also used social engineering like "Myspace password reset confirmation" - link and "Fake IRS notice" - link

SonicWALL Gateway AntiVirus provided proactive protection against this entire spam campaign via GAV: Regrun (Trojan) signature. There were close to 9 million hits recorded for this signatures in last five days.