New ZBot trojan in the wild

MX Lab intercepted a new ZBot trojan attached to emails with changing subjects and body content.

The following email subjects are being used:

Another candidate brought to you
EBOD Meeting MEC Update
Fw: New Taxes Coming
Summary of payments

The email body also changes with every new email version. Here are some examples:

Enjoy… email with questions.. have a great safe weekend… still need more letters… get it done!

In Unity!

Chauncey Pennington

knuts,

Attached are two files showing the amounts paid this past year.
The files are in Lotus 1-2-3 but I think you can open these in Excel or the Open office spread sheet.
This is working very nicely.

Bradley Jacobs

Hi,

This is Charles Brand working as a Technical Team Lead in IBM with over 10 years of solid mainframe development experience. I am confident that my skills will match for this requirement.

Please find the resume as a word attachment. I am available at 404-353-5442 for a discussion. BTW I am in EST time zone.

Looking forward to work with you.

Thanks
Charles

I have attached part of that document toward the bottom so you can print it out for your friends.

“Excellence is an art won by training and habituation. We do not act rightly because we have virtue or excellence, but we rather have those because we have acted rightly. We are what we repeatedly do. Excellence, then, is not an act but a habit” Aristotle

Along with the subject and body content changes, the attached ZIP file also has different file names:

2010 MEC Update.zip
2010 Financing.123.zip
resume.zip
six_months.zip

At the time of writing, only 4 of the 42 AV engines at Virus Total did detect the treath. Virus Total permlink and MD5: 0f80c925e86d069e651eed8a4836f1be.