Fake Invoice - ZBot Downloader
SonicWALL UTM Research team saw a new spam campaign pretending to contain a Debt Invoice, starting July 16, 2009. The spammed e-mail message is in Spanish and contains a fake invoice attachment which is the new ZBot Downloader Trojan.
English Translation of the e-mail:
Attachment: Factura66.zip (contains Factura66.doc [multiple spaces] .exe)
Subject: Outstanding debt
Please note that an invoice is outstanding.
The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:
The original e-mail message looks like:
The Downloader Trojan when executed performs following activity:
- Drops a copy of itself as (User Local Settings)Tempsvchost.exe
- Modifies the Registry entry - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: "Explorer.exe (User Local Setting)Tempsvchost.exe"
- Executes the dropped file svchost.exe and transfers control to it
- Checks for Internet connectivity by sending a specific GET request to macromedia.com (with User-Agent: chek)
- Downloads a new ZBot variant from the URL:
- www.blondiespizzasunriver.com/images/logot.jpg [Detected as GAV: Zbot.JF_10 (Trojan)]
- Executes the new ZBot variant
The new ZBot variant performs following activity:
- Creates multiple files:
- Modifies the Registry entry - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "(SYSTEM32)userinit.exe,(SYSTEM32)sdra64.exe,"
- Attempts to download an encrypted configuration file from the URL:
- Further attempts to download a new update of ZBot binary from the URL:
- www.stuffedchocolate.com/logo.exe [Detected as GAV: Zbot.JF_10 (Trojan)]
The Downloader Trojan is also known as Win32/TrojanDownloader.Delf.OVB trojan [ESET], Trojan-Spy:W32/Zbot.OWF [F-Secure], and Trojan.Win32.Regrun [IKARUS].
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Regrun.DGJ (Trojan), GAV: Zbot.JF_10 (Trojan) and GAV: Zbot.TE (Trojan) signatures.