New ZBot Variant

September 11, 2008

UPS Invoice spam - New ZBot variant

SonicWALL UTM Research Team has discovered a new wave of fake UPS Invoice e-mails spammed this morning.

The email contains a fake message about not being able to deliver the postal package that you sent on September 1st and it asks you to take a print out of attached copy of invoice in order to collect the package from local UPS office.

SonicWALL has received 1100 e-mail copies of this malware so far. This Trojan is similar to and connects to the same website as Fedex Tracking number spam we alerted on last week.

The e-mails look like following:

Attachment: (contains file ups_invoice.exe)



The e-mail attachment is a zip archive containing an executable file which is a new ZBot variant. Upon execution, it tries to connect to domain which is located at Bendery, Moldova and was registered recently on September 6, 2008. The malware sends following GET request to the domain:

  • GET /loads/engine2.bin HTTP/1.0

It drops the following files:

  • C:WINDOWSsystem32oembios.exe
  • C:WINDOWSsystem32sysproc64sysproc32.sys
  • C:WINDOWSsystem32sysproc64sysproc86.sys
  • C:Documents and SettingsLocalServiceApplication Datasysproc64sysproc32.sys

It also makes following modifications to the Windows registry:

  • HKLM...WinlogonUserinit: "C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32oembios.exe,"

SonicWALL Gateway Antivirus detects this new ZBot variant as GAV: ZBot.UPS (Trojan) [66,384 hits recorded]