Fake Outlook update - New ZBot

June 23, 2009

SonicWALL UTM Research team observed a fake Critical Update for Microsoft Outlook spam. The email has a link to a spoofed Microsoft security website which serves a new ZBot Trojan variant.

ZBot is a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. Read more about Zeus/Zbot Trojan Family here: https://www.mysonicwall.com/SonicAlert/index.asp?ev=article&id=132

This malware is 83,456 bytes in size.

When executed it creates the following files on the system:

  • %System%lowseclocal.ds
  • %System%lowsecuser.ds
  • %System%lowsecuser.ds.lll
  • %System%sdra64.exe

It modifies registry:

 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Userinit = "%System%userinit.exe,%System%sdra64.exe," 

so that sdra64.exe runs every time Windows starts

It creates registry entries:

 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork] UID = "%ComputerName%_0004DCC0"  and   [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings] ProxyEnable = 0x00000000 

The e-mail looks like:


The Trojan is also known as trojan Trojan-Spy.Win32.Zbot.xdj [Kaspersky], Mal/Zbot-O [Sophos] and Trojan.Spy.LooksLike.ZBot [McAfee]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.XDJ (Trojan) signature.