ZBot trojan aims AIM users

January 21, 2010 by mxlab Leave a Comment

MX Lab intercepted a few emails regarding AOL Instant Messenger accounts but in fact, the included URL leads to a web site that hosts malware. The malware is know as Trojan-Spy.Win32.Zbot.gen (Kaspersky), PWS:Win32/Zbot.gen!R (Microsoft) or Trojan.Zbot!gen3 (Symantec).

The email comes from the spoofed address AIM <no_reply_instant_messenger@aol.com> with possible subjects like:

Your AIM account is flagged as inactive
Your AIM account will be deleted
YourAOL Instant Messenger account will be deleted

Body of the email:

Dear AOL Instant Messenger user,

Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.

If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.

In order to install the update use the following link . This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.

Thank you,

AIM Service Team

This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.

The email contains the link to the web site hxxp://update.aol.com.terfkiof.net.pl/products/aimController.php?code=2902***&email=***r@r***.com. Note: it is possible that other links are being used in this campaign.

This web site informs you to download the file aimupdate_7.1.6.475.exe (size: 128 kB). When executed you will infect your computer with ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The file %System%\sdra64.exe is created on an infected system, along with a hidden directory %System%\lowsec and the hidden files: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll

The trojan can request data from the following URLs:

* http://nekovo.ru/cbd/nekovo.bri
* http://nekovo.ru/ip.php

Virus Total permlink and MD5: d267e1ccc1a30134ab965fcaa39d145c. At the time of writing, only 9 of the 41 AV engines did detect the trojan. Our recommendation is therefore not to follow the URL and certainly not to download and install this so called AIM update.

Filed under Various, Viruses Tagged with , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>