mxlab - all about anti virus and anti spam » Mal/Zbot-I

New ZBot trojan detected in UPS tracking emails

mxlab — Wed, 27 May 2009 22:40:56 +0000

Email messages coming from UPS with the subject “Postal Tracking #FDD4Q22514LDU4N” and the attached file UPS_DOC_986001.zip are part of a new malware distribution by email. MX Lab intercepted the first samples of a new variant that is only detected by 5 of the 40 AV engines of Virus Total.

The body of the email:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

The trojan will create the following files:

%AppData%\wiaserva.log
%Temp%\WER699f.dir00\appcompat.txt
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp
%Temp%\WER699f.dir00\manifest.txt
%System%\wbem\grpconv.exe

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total link and MD5: de90a24f3dfb5c1c8d4a0a3104f3dd4a.

New Western Union MTCN trojan

mxlab — Tue, 26 May 2009 21:46:11 +0000

MX Lab intercepted a new ZBot trojan today that is being distributed in the famous “Western Union MTCN” format. The message subject is “Western Union Transfer MTCN: 5815328212″. The attached file is a compresses zip archive WesternUnion_SPL90710021.zip containing the malware WesternUnion_SPL90710021.exe. Please note that the numbers in the subject line and/or attachment and executable can change.

The body of the email contains:

Dear customer!

The money transfer you have sent on the 20th of April wasn’t received by the recipient.
According to the Western Union contract the transfers which are not collected in 15 days are to be returned to sender.
To collect funds you need to print the invoice attached to this e-mail and visit the nearest Western Union branch.

Thank you!

When we submitted the virus sample to Virus Total, on 26/05/2009 at 21:27:10 (UTC), we only had 6 of the 40 AV engines detecting the malware. When looking at the details and virus naming we assume that they are being detected by some heuristic features that the AV engines have: Gen:Trojan.Heur.3004FB9EBC (BitDefender, GData), Suspicious file (Panda), (Suspicious) – DNAScan (CAT-QuickHeal). A-Squared and Microsoft have a real virus name: Gen.Trojan!IK and TrojanDownloader:Win32/Bredolab.G.

The trojan will create the following files:

%AppData%\wiaserva.log
%Temp%\WER699f.dir00\appcompat.txt
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp
%Temp%\WER699f.dir00\manifest.txt
%System%\wbem\grpconv.exe

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total permalink and MD5 hash: 53d15dc652a2534572981bab1e2eddf3.

New version of the Zbot-I trojan

mxlab — Sun, 17 May 2009 21:56:09 +0000

A message with the subject line “Fwd: Look and tell…” that has been intercepted by the zero hour anti virus at MX Lab caught our attention. When submitting the details to Virus Total, only 14 of the 40 AV engines did detect this one. The email has the ZIP file attached named Info04.zip and when extracted we got Info04.Doc_[lots of underscores]_…_.exe.

The body of the email:

Hello, webmaster.

I received it with my morning mail but it seems to me everything is yours.
Look and tell to delete it or don’t.

–
Best regards,
webmaster mailto:webmaster@sylvia-gerl.net

This version of malware itself doesn’t do much harm when looking to the activity. It will create a new file%Temp%\svchost [file and pathname of the sample #1], create a new service svchost.exe, add one Windows registry.

Virus Total permlink and MD5:16a2124b53d9d4746c77b9682a795e36.