Return of Zbot Spam

December 3, 2010

SonicWALL UTM Research team received reports of a new variant of a Zbot worm spreading in the wild. This new variant is being spread through emails with links to the malicious file.

Below is the content of the e-mail:


  • Your package has arrived!

Email Body:

    Dear client

    Your package has arrived.
    The tracking # is: 1Z45AR990283682749 and can be used at:


    The shipping invoice can be downloaded from :


    Thanks you,
    United Parcel Service

    *** This is an automatically generated email, please do not reply *** ===================================================

The e-mail message looks like below:


The tracking number and the first link point to legitimate UPS website and resolve to a package for someone else. Although the package is for someone else, it tempts the user to click on the second link which leads to downloading of the Zbot executable.

Malicious link may lead to the following:

  • hxxp://th{REMOVED}.net/e107_files/cache/invoice.scr
  • hxxp://e1{REMOVED}dk/e107_files/cache/invoice.scr
  • hxxp://ed{REMOVED}om/e107_files/cache/invoice.scr
  • hxxp://{REMOVED}at/e107_files/cache/invoice.scr
  • hxxp://www.s{REMOVED}nl/weblog/pm/images/invoice.scr

Once the user runs the downloaded file, it will perform the following activities:

File Operation:

Added Files

  • Documents and Settings{user}Application DataEszauxohxi.aqd - (5 KB)
  • Documents and Settings{user}Application DataUgarckesy.exe - (159 KB) [ Detected as GAV: Kryptik.IOL (Trojan) ]
  • *Note that the folders created can be different from other system.

Registry Operation:

Added Entries

  • HKEY_CURRENT_USERSoftwareMicrosoftIduwy Lowoo
  • Allows program to run without user notification:

  • KEY: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: {1BF5BAE0-A94B-EB99-7464-692B693EE661}
    Data:"Documents and Settings{user}Application DataUgarckesy.exe"
  • KEY: HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPrivacy
    Value: CleanCookies
    Dword: 000000

Network Activity:

The following HTTP request was observed from this Worm:

  • www.mortga{REMOVED}

The Worm is also known as Win32/Spy.Zbot.YW [Eset], DR/Spy.ZBot.avew [Antivir] and Mal/Zbot-AV [Sophos]

SonicWALL Gateway AntiVirus provides protection against this Worm via GAV: Kryptik.IOL (Trojan) signature