MX Lab has been tipped regarding a new 0-day email related virus by Alan Dougherty from the company Synergistix. Thanks for sharing this with us. MX Lab intercepted only one sample of the email so we had the possibility to investigate this.
The email comes from suport@****.com where **** stands for the domain that is being used in the recipient email address. This will make that the receiver thinks it is from the support department of his own company. Now, if you don’t have a support department it should be clear that this is spoofed and that the email must be handled as being suspicious. If you have a support department don’t accept the fact that they will give you instructions on how to install and run executables.
Possible subjects are :
A new settings file for the andre@****.com mailbox
The settings for the andre@****.com mailbox
The body of the email:
Dear user of the beweb.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (andre@b****.com) settings were changed. In order to apply the new set of settings click on the following link:
hxxp://b****.com/owa/service_directory/settings.php?email=andre@b****.com=b****.com=andre
Best regards, beweb.com Technical Support.
The malware is not attached at the email but the inluded link will take you to a web site where you need to download the .exe file and apply the new settings. The malware listens to the names Trojan-Spy.Win32.Zbot.gen (F-Secure), Mal/Zbot-R (Sophos) or PWS:Win32/Zbot.gen!R (Microsoft). The file itself is about 92 kB big and has the name settings-file.exe.
Regarding ZBot: it is a trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
The trojan will create a file %System%\sdra64.exe and the hidden files %System%\lowsec\local.ds and %System%\lowsec\user.ds in combination with a hidden directory %System%\lowsec. There were new memory pages created in the address space of the system process(es): services.exe, lsass.exe, alg.exe, iexplore.exe and svchost.exe.
Several registry settings are modified and the trojan could make connection to a remote host on the IP 195.93.208.106 on port 80. Data requested is: hxxp://195.93.208.106/livs/rec.php, hxxp://195.93.208.106/lcc/ip1.gif and hxxp://195.93.208.106/ip.php.
In the sample from Alan Dougherty was the domain oikkkkuy.co.uk in use and ur sample contained bertdffm.co.uk. These domains are registered by the same licensee today and already offline. These are so called fast-flux domains.
With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux domains use a large number of servers and a fast-changing domain A record to turn shutdown attempts into a game.
Domain name:
bertdffm.co.uk
Registrant:
Evelyn Wilson
Registrant type:
Non-UK Individual
Registrant's address:
805 E. Stocker
paris
68554
Belgium
Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk
Relevant dates:
Registered on: 14-Oct-2009
Renewal date: 14-Oct-2011
Last updated: 14-Oct-2009
Registration status:
Registration request being processed.
Name servers:
No name servers listed.
WHOIS lookup made at 16:46:50 14-Oct-2009
At the time of writing, Virus Total gives us the fact that only 6 of the 41 AV engines detect the new ZBot variant. Virus Total permlink and MD5: 06085157775a67575c8a40ba934af2d2.
[Update - 20/10/2009 - 4:25 PM Local Belgian time] Following domains are being used to host the malware:
bertdffm.co.uk
ffffexdl.co.uk
photo.net
polikkp.eu
nerrasssb.eu
nerassssp.co.uk
nerasssspt.co.uk
nerrasssx.eu
nerrasssy.eu
oikkkkuy.co.uk
opopio.co.uk
til1tlli.com
ttl1lll.com
ttl1lii.com
vvverfq.co.uk
vvverkp.co.uk
This will not be a full list of all malicious URLs.
For the domain nerrasssx.eu we have the following list of A records:
nerrasssx.eu. 1800 IN A 91.141.19.106
nerrasssx.eu. 1800 IN A 83.55.90.230
nerrasssx.eu. 1800 IN A 77.105.4.79
nerrasssx.eu. 1800 IN A 190.82.168.179
nerrasssx.eu. 1800 IN A 85.65.48.188
nerrasssx.eu. 1800 IN A 92.85.230.178
nerrasssx.eu. 1800 IN A 190.16.45.45
nerrasssx.eu. 1800 IN A 201.62.140.63
nerrasssx.eu. 1800 IN A 190.245.16.36
nerrasssx.eu. 1800 IN A 95.133.54.191
nerrasssx.eu. 1800 IN A 89.173.151.200
nerrasssx.eu. 1800 IN A 218.209.20.19
nerrasssx.eu. 1800 IN A 78.30.202.143
nerrasssx.eu. 1800 IN A 190.245.42.164
nerrasssx.eu. 1800 IN A 95.209.138.179
For the domain nerrasssb.eu we have the following list of A records:
nerrasssb.eu. 1800 IN A 95.133.54.191
nerrasssb.eu. 1800 IN A 190.245.42.164
nerrasssb.eu. 1800 IN A 201.62.140.63
nerrasssb.eu. 1800 IN A 89.173.151.200
nerrasssb.eu. 1800 IN A 190.16.45.45
nerrasssb.eu. 1800 IN A 95.209.138.179
nerrasssb.eu. 1800 IN A 83.55.90.230
nerrasssb.eu. 1800 IN A 77.105.4.79
nerrasssb.eu. 1800 IN A 92.85.230.178
nerrasssb.eu. 1800 IN A 190.82.168.179
nerrasssb.eu. 1800 IN A 91.141.19.106
nerrasssb.eu. 1800 IN A 78.30.202.143
nerrasssb.eu. 1800 IN A 85.65.48.188
nerrasssb.eu. 1800 IN A 218.209.20.19
nerrasssb.eu. 1800 IN A 190.245.16.36
