New ZBot Trojan variant
SonicWALL UTM Research team observed a new ZBot variant being spammed in the wild using Angelina Jolie video spam campaign starting on Saturday, October 25, 2008 which involves a fake e-mail message pretending to contain Angelina Jolie video. The email has a zip archived attachment which contains the new ZBot variant.
SonicWALL has received more than 10,000 e-mail copies of this malware so far. The e-mail looks like following:
Attachment: anjelina_video.zip (contains anjelina_video.exe)
Subject: New Anje1lna Jo1ie p0rn
Email Body:
------------------------
Anje1lna Jo1ie p0rn video, file attached, watch him
------------------------
Starting October 27, 2008 the spam campaign changed to "new eCard" spam which involves a fake e-mail message pretending to contain an ecard. The email has a zip archived attachment which contains the new ZBot variant.
SonicWALL has received more than 5,000 e-mail copies of this malware so far. The e-mail looks like following:
Attachment: ecard.zip (contains ecard.exe)
Subject: You have received an eCard
Email Body:
------------------------
Good day.
You have received an eCard
To pick up your eCard open attached file
We hope you enjoy you eCard.
Thank You!
------------------------
The Trojan when executed drops following malicious files in the windows system folder:
- twain_32local.ds
- twain_32user.ds
- twext.exe
It modifies the following registry keys to ensure that twext.exe executes on system startup:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit = "(System Folder Path)userinit.exe,(System Folder Path)twext.exe,"
It also tries to connect to opokimoki.com domain and sends following HTTP request:
- GET /los/cfn.bf
The Trojan is also known as Trojan-Spy.Win32.Zbot.fql [Kaspersky], Troj/Agent-IAZ [Sophos], and TrojanSpy:Win32/Zbot.gen!C [Microsoft]
SonicWALL Gateway AntiVirus provided proactive protection against this new Zbot variant via GAV: Zbot.FME (Trojan) signature [809,401 hits recorded starting Oct 25, 2008].
