Comments on: ZBot variant masked as settings file for MS Outlook

By: mxlab

mxlab — Tue, 20 Oct 2009 14:37:27 +0000

“Also how are they finding my users username? trial and error ?”

Yes, trial and error is one of the techniques. Harvesting techniques is also popular. In this case they will create email addresses randomly, send out spam and if the spammer receives an NDR or Non Delivery Report from the mail server they know the address is not valid. If they receive nothing there is a chance that the message will be accepted.

But there is another very effective method that we don’t think of. We all have an address book and we all send out emails to each other.

This means that my email address, and yours to, is present on many different computers in address books, contact lists, emails,….

In most cases these emails will be gathered and submitted to spammers/hackers/malware writers when one of these computers get infected with a trojan or virus. In that case the email addresses can be used for sending out spam, being used as a from address to spoof the spam senders origin, to send viruses to or other things that we don’t like.

By: Dr Jon Brody

Dr Jon Brody — Tue, 20 Oct 2009 13:04:23 +0000

We, and almost all of our hosted clients, have recived loads of these today. However, some of the links have not even been obfuscated and point to the domain which the email relates to, but to a directory (/owa/) which does not exist. DOH! Even spammers are getting it wrong!

By: ken

ken — Thu, 15 Oct 2009 10:55:44 +0000

What’s interesting to me is that most domain tools don’t show the domain as existing. If I do a lookup on nerrasssx.eu using network-tools.com (or others) the dns record doesn’t show up. How do they hide the record from tools like this?

By: Diabolic Preacher

Diabolic Preacher — Thu, 15 Oct 2009 09:54:37 +0000

If its a link in the mail, then why would it matter if you use outlook or not, as far as the damage is concerned, it will affect windows systems on the whole. you might as well have clicked the link from another mail client just being confident that you’re not using outlook and infected yourself.

By: ZBot variant masked as settings file for MS Outlook « mxlab – all … (via postie) | Kantaas.Com

Thu, 15 Oct 2009 02:59:53 +0000

[...] ZBot variant masked as settings file for MS Outlook « mxlab – all … [...]

By: Goldoni Jean

Goldoni Jean — Thu, 15 Oct 2009 01:50:50 +0000

Good evening,

I receive this email today with my own mail adress.

What can i do?

By: 1700 Martin Luther King Jr Way » Archives » The Pleasure Never Ends

1700 Martin Luther King Jr Way » Archives » The Pleasure Never Ends — Thu, 15 Oct 2009 00:33:07 +0000

[...] This blog reports on a variant of the ZBot trojan that’s making its way through the tubes of the internet. It’s a classic scam, where the bad guys pose as, in our case, lmi.net tech support. They send you a link via email. The link is obfuscated to make it look like it points to an lmi.net server, but the actual link is to a server off-site. The server has several IP addresses, so that if one is shut down, you may still have a hope of infecting your system. The link leads to a page that tells you to download an executable called YOURNAME-settings.exe. [...]

By: Cody

Cody — Wed, 14 Oct 2009 21:22:17 +0000

I also have a lot of users that are recieving this email today. One from Automailer@mydomain.com and support@mydomain.com Anyone have any luck blocking these… Also how are they finding my users username? trial and error ?

By: DHannen

DHannen — Wed, 14 Oct 2009 21:18:56 +0000

We have also been getting a huge amount of these today, with the domains/addresses changing per mail. I’ve instructed staff to be careful and also included this information. Thanks for the info!

By: Marcus DM

Marcus DM — Wed, 14 Oct 2009 20:49:13 +0000

Denying users” rights to download and install, may protect your network against this payload and any other variants.