ZBot IRS spam targeting Tax period

March 26, 2010

SonicWALL UTM Research team observed a new wave of the previously seen Fake IRS notice spam campaign starting yesterday - March 25, 2010, which takes advantage of the Tax period to target users. US-CERT issued an alert related to it today morning.

The email pretends to arrive from an irs.gov e-mail address and contains a URL to the fake notice. If the user clicks on this URL, it leads to a fake IRS page which prompts the user to download the new ZBot Trojan variant.

The e-mail looks like:

Subject: Notice of Underreported Income

Email Body:
Taxpayer ID: [email handle-(14 digit random number)US]
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: [email handle-(14 digit random number)US] (<-- Malicious URL)

Internal Revenue Service

The e-mail message looks like below:


The site that opens up when user clicks on the URL inside the e-mail is shown below:


As seen in the screenshot the malicious site prompts the user to download and execute the IRS notice which in reality is the malware executable file as seen here:


The new ZBot variant performs following activities upon execution:

  • It creates MUTEX objects _AVIRA_2108, _AVIRA_2109 to mark its presence on the system.
  • It attempts to download an encrypted configuration file via following GET request:
    GET /cnf/shopinf.jpg HTTP/1.1
    Host: shopinfmaster.com
  • Creates following files:
    • (Windows_System)lowseclocal.ds
    • (Windows_System)lowsecuser.ds
    • (Windows_System)lowsecuser.ds.lll
    • (Windows_System)sdra64.exe
    • (Copy of itself)

  • Ensures that it runs every time Windows restart by modifying following registry entry:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "(Windows_System)userinit.exe,(Windows_System)sdra64.exe,"

The Trojan is also known as PWS:Win32/Zbot.gen!R [Microsoft] and Packed.Win32.Krap.ae [Kaspersky].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.YP_7 (Trojan) signature.