Fake Invoice - ZBot Downloader

July 16, 2009

SonicWALL UTM Research team saw a new spam campaign pretending to contain a Debt Invoice, starting July 16, 2009. The spammed e-mail message is in Spanish and contains a fake invoice attachment which is the new ZBot Downloader Trojan.

English Translation of the e-mail:

Attachment: Factura66.zip (contains Factura66.doc [multiple spaces] .exe)

Subject: Outstanding debt

Email Body:
------------------------
Please note that an invoice is outstanding.
------------------------

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:

screenshot

The original e-mail message looks like:

screenshot

The Downloader Trojan when executed performs following activity:

  • Drops a copy of itself as (User Local Settings)Tempsvchost.exe

  • Modifies the Registry entry - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: "Explorer.exe (User Local Setting)Tempsvchost.exe"
  • Executes the dropped file svchost.exe and transfers control to it

  • Checks for Internet connectivity by sending a specific GET request to macromedia.com (with User-Agent: chek)

  • Downloads a new ZBot variant from the URL:
    • www.blondiespizzasunriver.com/images/logot.jpg [Detected as GAV: Zbot.JF_10 (Trojan)]
  • Executes the new ZBot variant

The new ZBot variant performs following activity:

  • Creates multiple files:
    • (SYSTEM32)lowseclocal.ds
    • (SYSTEM32)lowsecuser.ds
    • (SYSTEM32)lowsecuser.ds.lll
    • (SYSTEM32)sdra64.exe
  • Modifies the Registry entry - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "(SYSTEM32)userinit.exe,(SYSTEM32)sdra64.exe,"
  • Attempts to download an encrypted configuration file from the URL:
    • www.monozoro.net/images/swf5.bin

  • Further attempts to download a new update of ZBot binary from the URL:
    • www.stuffedchocolate.com/logo.exe [Detected as GAV: Zbot.JF_10 (Trojan)]

The Downloader Trojan is also known as Win32/TrojanDownloader.Delf.OVB trojan [ESET], Trojan-Spy:W32/Zbot.OWF [F-Secure], and Trojan.Win32.Regrun [IKARUS].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Regrun.DGJ (Trojan), GAV: Zbot.JF_10 (Trojan) and GAV: Zbot.TE (Trojan) signatures.