Microsoft Security Bulletin with attached executable is malware with a nasty twitch

MX Lab intercepted a few emails from “Microsoft Security <*-update@microsoft.com>”, where * in the from address stands for random characters in a combination of letters and numbers, with the subject line “Important Security Update for Windows XP (KB932823)” with the attached file Windows Update.exe.

This is the body of the email:

Microsoft Security Bulletin Notification | Critical update and notification service software for genuine Microsoft (r) Windows operating system users.

As part of the monthly security bulletin release cycle, Microsoft provides the Microsoft Security Bulletin Notification Service Software.
This software is intended to help our customers effectively deploy security updates, and includes information about the number of new security updates being released,
the software affected, severity levels of vulnerabilities, and information about any detection tools relevant to the updates.

Please be asvised that this is a critical update affecting Microsoft (c) Windows (r) operating system family.

Note that the advance notification software will provide information about high-priority updates and install the updates that are released the same day as the security updates.
The advance notification software does not provide information about non-security updates released on other days.

Please download the attached bundle and install the Microsoft Advanced Notification and Malware Removal software

Instead of being malware removal software this is in fact malware that listens to the name W32/Trojan3.BHU (F-Prot), Trojan-Spy.Win32.Zbot.gen (Kaspersky) or Troj/Zbot-IC (Sophos).

The threat has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data, makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It is a rootkit trojan which steals online banking information and downloads other malware as well.

The service %System%\sdra64.exe, some hidden files %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll are being created on an infected system.

As always some registry modifications will happen and for the following list of online banking site, the threat may compromise your access by injecting additional HTML code:

* https://www.gruposantander.es
* https://banking.*.de
* https://internetbanking.gad.de
* https://www.citibank.de
* https://www.us.hsbc.com
* https://www.e-gold.com
* https://online.wellsfargo.com
* https://www.wellsfargo.com
* https://www.paypal.com
* https://www#.usbank.com
* https://easyweb*.tdcanadatrust.com
* https://www#.citizensbankonline.com
* https://onlinebanking.nationalcity.com
* https://www.suntrust.com
* https://www.53.com
* https://web.da-us.citibank.com
* https://onlineeast#.bankofamerica.com
* https://online.wamu.com
* https://onlinebanking#.wachovia.com
* https://resources.chase.com
* https://bancaonline.openbank.es
* https://extranet.banesto.es
* https://banesnet.banesto.es
* https://empresas.gruposantander.es
* https://www.bbvanetoffice.com
* https://www.bancajaproximaempresas.com
* https://probanking.procreditbank.bg
* https://ibank.internationalbanking.barclays.com
* https://ibank.barclays.co.uk
* https://online-offshore.lloydstsb.com
* https://online-business.lloydstsb.co.uk
* http://www.hsbc.co.uk
* https://www.nwolb.com
* https://home.ybonline.co.uk
* https://home.cbonline.co.uk
* https://welcome27.co-operativebank.co.uk
* https://welcome23.smile.co.uk
* https://www.halifax-online.co.uk
* https://www2.bancopopular.es
* https://www.bancoherrero.com
* https://pastornetparticulares.bancopastor.es
* https://intelvia.cajamurcia.es
* https://www.caja-granada.es
* https://www.fibancmediolanum.es
* https://carnet.cajarioja.es
* https://www.cajalaboral.com
* https://www.cajasoldirecto.es
* https://www.clavenet.net
* https://www.cajavital.es
* https://banca.cajaen.es
* https://www.cajadeavila.es
* https://www.caixatarragona.es
* http://caixasabadell.net
* https://www.caixaontinyent.es
* https://www.caixalaietana.es
* https://www.cajacirculo.es
* https://areasegura.banif.es
* https://www.bgnetplus.com
* https://www.caixagirona.es
* https://www.unicaja.es
* https://www.sabadellatlantico.com
* https://oi.cajamadrid.es
* https://www.cajabadajoz.es
* https://montevia.elmonte.es
* https://www.cajacanarias.es
* https://oie.cajamadridempresas.es
* https://www.gruppocarige.it
* https://bancopostaonline.poste.it
* https://privati.internetbanking.bancaintesa.it
* https://hb.quiubi.it
* https://www.iwbank.it
* https://web.secservizi.it
* https://www.isideonline.it
* https://online*.lloydstsb.co.uk
* https://www.mybank.alliance-leicester.co.uk
* https://www.ebank.hsbc.co.uk
* https://www.isbank.com.tr
* https://light.webmoney.ru
* https://olb2.nationet.com
* https://www*.banking.first-direct.com
* https://cardsonline-consumer.com
* https://www.rbsdigital.com
* https://banking*.anz.com
* https://home2ae.cd.citibank.ae
* https://internetbanking.aib.ie
* https://lot-port.bcs.ru
* https://rupay.com
* http://*.osmp.ru
* https://www.uno-e.com
* https://www.ccm.es

When visiting your online bank service, the threat my inject additional fields in the login form with the goal to steal confidential information. Compromised forms may look like the following screens:

Virus Total permlink and MD5: ac9fe62b82080e405a9ffadb64bdcdf7.