Fake Amazon order - New Zbot variant

May 14, 2010

SonicWALL UTM Research team discovered a new Zbot spam campaign involving fake order payment e-mail from Amazon. The e-mail informs the user to download the attached file which it claims to be a document containing order tracking number.

The e-mail contains malicious executable file inside the zip attachment that has an icon disguised as a Microsoft Word document. This malware executable is a new variant of Zbot Trojan.

The e-mail message looks like:


The downloaded fake tracking number document looks like:


If the user tries to open this document file, it performs the following activities:

  • Connects to a malicious domain hulejsoops.ru which is a Zbot Command & Control (C&C) server and sends following HTTP requests:
    • GET /images/bb.php?v=2(REMOVED)m=40
    • GET /images/bb.php?v=2(REMOVED)m=41

  • Uppon successful connection & authentication to the C&C server it receives following command strings to further download additional malware as well as encrypted configuration file:


  • Based on above command strings, it downloads and executes all or some of these files based on the victim machine:
    • (SYSTEM)lowseclocal.ds
    • (SYSTEM)lowsecuser.ds
    • (SYSTEM)lowsecuser.ds.lll
    • (SYSTEM)sdra64.exe [Detected as GAV: Wigon.KG (Trojan)]
    • (SYSTEM)thxr.wgo
    • (SYSTEM)ustftqmbt.exe [Detected as GAV: Wigon.KG (Trojan)]

  • Registry modifications in order to ensure that the malware executes on each system reboot:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "(SYSTEM)userinit.exe,(System)sdra64.exe,"
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunustftqmbt: "(SYSTEM)ustftqmbt.exe"
  • Downloads configuration file konf1.bin from one of the URLs found in the command string received from C&C server.
  • Deletes the original copy of the file.

The Trojan has very low AV detection at the time of writing this alert and is also known as Trojan.Win32.VBKrypt.td [Kaspersky] and Mal/Koobface-E [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.TD (Trojan) signature.