New ZBot trojan in the wild

August 13, 2010 by mxlab 1 Comment

MX Lab intercepted a new ZBot trojan attached to emails with changing subjects and body content.

The following email subjects are being used:

Another candidate brought to you
EBOD Meeting MEC Update
Fw: New Taxes Coming
Summary of payments

The email body also changes with every new email version. Here are some examples:

Enjoy… email with questions.. have a great safe weekend… still need more letters… get it done!

In Unity!

Chauncey Pennington

knuts,

Attached are two files showing the amounts paid this past year.
The files are in Lotus 1-2-3 but I think you can open these in Excel or the Open office spread sheet.
This is working very nicely.

Bradley Jacobs

Hi,

This is Charles Brand working as a Technical Team Lead in IBM with over 10 years of solid mainframe development experience. I am confident that my skills will match for this requirement.

Please find the resume as a word attachment. I am available at 404-353-5442 for a discussion. BTW I am in EST time zone.

Looking forward to work with you.

Thanks
Charles

I have attached part of that document toward the bottom so you can print it out for your friends.

“Excellence is an art won by training and habituation. We do not act rightly because we have virtue or excellence, but we rather have those because we have acted rightly. We are what we repeatedly do. Excellence, then, is not an act but a habit” Aristotle

Along with the subject and body content changes, the attached ZIP file also has different file names:

2010 MEC Update.zip
2010 Financing.123.zip
resume.zip
six_months.zip

At the time of writing, only 4 of the 42 AV engines at Virus Total did detect the treath. Virus Total permlink and MD5: 0f80c925e86d069e651eed8a4836f1be.

Filed under Viruses Tagged with , , ,

New ZBot variant in messages with subject “YOUR SALE TO CAN PTY LIMITED”

August 5, 2010 by mxlab Leave a Comment

MX Lab intercepted a new ZBot varaint in messages with the subject “YOUR SALE TO CAN PTY LIMITED” and the following body of the email:

Dear ****@****.de

Please find attached correspondence from Colby Young of even date.

Regards

Jillene Smith
Cantle Carmichael Lawyers
PO Box 483
(DX 7876 NEWCASTLE)
Newcastle, NSW, 2300
(P) 02 49 297 500
(F) 02 49 293 611

The email contains the attachment 08-05-2010(10).pdf.zip. Once extracted we found the 16 kB large file 08-05-2010(10).pdf.exe.

Virus Total permlink and MD5: f776ab24302503f7f6e924d0a24ae678.

Filed under Viruses Tagged with , , ,

New ZBot trojan appears in ‘tax statement’ and ‘account suspended’ emails

August 4, 2010 by mxlab 1 Comment

MX Lab intercepted emails regarding a tax statement that contains a new ZBot trojan variant. We noticed different variants in the emails.

Internal Revenue Service with the tax statement

The message comes from spoofed addresses that includes Internal Revenue Service.

Different subjects like the ones below are being used:

Notice of Underreported Income
Your Order with Amazon.com

The body of the email:

Taxpayer ID: bipin-00000299097131US

Tax Type: INCOME TAX

Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) (Attached please find)

===================================

Internal Revenue Service

Dear taxpayer,

The Federal income tax is a progressive tax, meaning that the more you earn, the higher your tax rate. Your tax rate depends not just upon your taxable income, but also upon your filing status (single, married filing jointly, etc.).

You’re in a higher tax bracket because:
- your annual income for the last tax year has increased.

Please review your annual tax report immediately at:
(Please find attached file – tax report.zip)

The email has the attachment tax statement.zip or tax report.zip and this archive contains the 140 kB large file tax statement.exe or tax report.exe.

Your internet access is going to get suspended

A second format is with the subject “Your internet access is going to get suspended” and the following body of the email:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ISPC Monitoring Team

The trojan is known as Trojan/Win32.Zbot (AhnLab-V3), Suspicious:W32/Malware!Gemini (F-Secure), Mal/Zbot-U (Sophos).

It will create the following files:

%AppData%\Demuy\igin.exe
%AppData%\Kuse\miev.kuu
%Temp%\tmpbe92fc54.bat

The following directories are created:

%AppData%\Demuy
%AppData%\Kuse

A new memory page is created in the address space of the system process:

%System%\cmd.exe

Various Windows registry settings are being modified and new ones will be created. The trojan can establish a connection with the IPs 74.125.65.147, 76.180.242.112 and 77.78.240.115 on port 80.

Connection with the following URLs:

* hxxp://www.google.com/webhp
* hxxp://jocudaidie.ru/9xq/_gate.php
* hxxp://zephehooqu.ru/bin/koethood.bin

The URL hxxp://zephehooqu.ru/bin/koethood.bin will make you download a .bin file named koethood.bin.

At the time of writing this blog post, only 4 AV engines did detect the threat 1 hour after the first submission to Virus Total, so this version is relative new.

Virus Total permlink and MD5: 298a29ce2fe1291e39215fede14ff628.

Filed under Viruses Tagged with , , ,

ZBot trojan aims AIM users

January 21, 2010 by mxlab Leave a Comment

MX Lab intercepted a few emails regarding AOL Instant Messenger accounts but in fact, the included URL leads to a web site that hosts malware. The malware is know as Trojan-Spy.Win32.Zbot.gen (Kaspersky), PWS:Win32/Zbot.gen!R (Microsoft) or Trojan.Zbot!gen3 (Symantec).

The email comes from the spoofed address AIM <no_reply_instant_messenger@aol.com> with possible subjects like:

Your AIM account is flagged as inactive
Your AIM account will be deleted
YourAOL Instant Messenger account will be deleted

Body of the email:

Dear AOL Instant Messenger user,

Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.

If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.

In order to install the update use the following link . This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.

Thank you,

AIM Service Team

This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.

The email contains the link to the web site hxxp://update.aol.com.terfkiof.net.pl/products/aimController.php?code=2902***&email=***r@r***.com. Note: it is possible that other links are being used in this campaign.

This web site informs you to download the file aimupdate_7.1.6.475.exe (size: 128 kB). When executed you will infect your computer with ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The file %System%\sdra64.exe is created on an infected system, along with a hidden directory %System%\lowsec and the hidden files: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll

The trojan can request data from the following URLs:

* http://nekovo.ru/cbd/nekovo.bri
* http://nekovo.ru/ip.php

Virus Total permlink and MD5: d267e1ccc1a30134ab965fcaa39d145c. At the time of writing, only 9 of the 41 AV engines did detect the trojan. Our recommendation is therefore not to follow the URL and certainly not to download and install this so called AIM update.

Filed under Various, Viruses Tagged with , , ,

ZBot variant masked as settings file for MS Outlook

October 14, 2009 by mxlab 15 Comments

MX Lab has been tipped regarding a new 0-day email related virus by Alan Dougherty from the company Synergistix. Thanks for sharing this with us. MX Lab intercepted only one sample of the email so we had the possibility to investigate this.

The email comes from suport@****.com where **** stands for the domain that is being used in the recipient email address. This will make that the receiver thinks it is from the support department of his own company. Now, if you don’t have a support department it should be clear that this is spoofed and that the email must be handled as being suspicious. If you have a support department don’t accept the fact that they will give you instructions on how to install and run executables.

Possible subjects are :

A new settings file for the andre@****.com mailbox
The settings for the andre@****.com mailbox

The body of the email:

Dear user of the beweb.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (andre@b****.com) settings were changed. In order to apply the new set of settings click on the following link:

hxxp://b****.com/owa/service_directory/settings.php?email=andre@b****.com=b****.com=andre

Best regards, beweb.com Technical Support.

The malware is not attached at the email but the inluded link will take you to a web site where you need to download the .exe file and apply the new settings. The malware listens to the names Trojan-Spy.Win32.Zbot.gen (F-Secure), Mal/Zbot-R (Sophos) or PWS:Win32/Zbot.gen!R (Microsoft). The file itself is about 92 kB big and has the name settings-file.exe.

Regarding ZBot: it is a trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The trojan will create a file %System%\sdra64.exe and the hidden files %System%\lowsec\local.ds and %System%\lowsec\user.ds in combination with a hidden directory %System%\lowsec. There were new memory pages created in the address space of the system process(es): services.exe, lsass.exe, alg.exe, iexplore.exe and svchost.exe.

Several registry settings are modified and the trojan could make connection to a remote host on the IP 195.93.208.106 on port 80. Data requested is: hxxp://195.93.208.106/livs/rec.php, hxxp://195.93.208.106/lcc/ip1.gif and hxxp://195.93.208.106/ip.php.

In the sample from Alan Dougherty was the domain oikkkkuy.co.uk in use and ur sample contained bertdffm.co.uk. These domains are registered by the same licensee today and already offline. These are so called fast-flux domains.

With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux domains use a large number of servers and a fast-changing domain A record to turn shutdown attempts into a game.

Domain name:
         bertdffm.co.uk

     Registrant:
         Evelyn Wilson

     Registrant type:
         Non-UK Individual

     Registrant's address:
         805 E. Stocker
         paris
         68554
         Belgium

     Registrar:
         Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
         URL: http://www.123-reg.co.uk

     Relevant dates:
         Registered on: 14-Oct-2009
         Renewal date:  14-Oct-2011
         Last updated:  14-Oct-2009

     Registration status:
         Registration request being processed.

     Name servers:
         No name servers listed.

     WHOIS lookup made at 16:46:50 14-Oct-2009

At the time of writing, Virus Total gives us the fact that only 6 of the 41 AV engines detect the new ZBot variant. Virus Total permlink and MD5: 06085157775a67575c8a40ba934af2d2.

[Update - 20/10/2009 -  4:25 PM Local Belgian time] Following domains are being used to host the malware:

bertdffm.co.uk
ffffexdl.co.uk
photo.net
polikkp.eu
nerrasssb.eu
nerassssp.co.uk
nerasssspt.co.uk
nerrasssx.eu
nerrasssy.eu
oikkkkuy.co.uk
opopio.co.uk
til1tlli.com
ttl1lll.com
ttl1lii.com
vvverfq.co.uk
vvverkp.co.uk

This will not be a full list of all malicious URLs.

For the domain nerrasssx.eu we have the following list of A records:

nerrasssx.eu.		1800	IN	A	91.141.19.106
nerrasssx.eu.		1800	IN	A	83.55.90.230
nerrasssx.eu.		1800	IN	A	77.105.4.79
nerrasssx.eu.		1800	IN	A	190.82.168.179
nerrasssx.eu.		1800	IN	A	85.65.48.188
nerrasssx.eu.		1800	IN	A	92.85.230.178
nerrasssx.eu.		1800	IN	A	190.16.45.45
nerrasssx.eu.		1800	IN	A	201.62.140.63
nerrasssx.eu.		1800	IN	A	190.245.16.36
nerrasssx.eu.		1800	IN	A	95.133.54.191
nerrasssx.eu.		1800	IN	A	89.173.151.200
nerrasssx.eu.		1800	IN	A	218.209.20.19
nerrasssx.eu.		1800	IN	A	78.30.202.143
nerrasssx.eu.		1800	IN	A	190.245.42.164
nerrasssx.eu.		1800	IN	A	95.209.138.179

For the domain nerrasssb.eu we have the following list of A records:

nerrasssb.eu.		1800	IN	A	95.133.54.191
nerrasssb.eu.		1800	IN	A	190.245.42.164
nerrasssb.eu.		1800	IN	A	201.62.140.63
nerrasssb.eu.		1800	IN	A	89.173.151.200
nerrasssb.eu.		1800	IN	A	190.16.45.45
nerrasssb.eu.		1800	IN	A	95.209.138.179
nerrasssb.eu.		1800	IN	A	83.55.90.230
nerrasssb.eu.		1800	IN	A	77.105.4.79
nerrasssb.eu.		1800	IN	A	92.85.230.178
nerrasssb.eu.		1800	IN	A	190.82.168.179
nerrasssb.eu.		1800	IN	A	91.141.19.106
nerrasssb.eu.		1800	IN	A	78.30.202.143
nerrasssb.eu.		1800	IN	A	85.65.48.188
nerrasssb.eu.		1800	IN	A	218.209.20.19
nerrasssb.eu.		1800	IN	A	190.245.16.36

Filed under Malware, Viruses Tagged with , , ,

New ZBot trojan detected in UPS tracking emails

May 27, 2009 by mxlab 1 Comment

Email messages coming from UPS with the subject “Postal Tracking #FDD4Q22514LDU4N” and the attached file UPS_DOC_986001.zip are part of a new malware distribution by email. MX Lab intercepted the first samples of a new variant that is only detected by 5 of the 40 AV engines of Virus Total.

The body of the email:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

The trojan will create the following files:

%AppData%\wiaserva.log
%Temp%\WER699f.dir00\appcompat.txt
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp
%Temp%\WER699f.dir00\manifest.txt
%System%\wbem\grpconv.exe

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total link and MD5: de90a24f3dfb5c1c8d4a0a3104f3dd4a.

Filed under Viruses Tagged with , , , ,

New Western Union MTCN trojan

May 26, 2009 by mxlab Leave a Comment

MX Lab intercepted a new ZBot trojan today that is being distributed in the famous “Western Union MTCN” format. The message subject is “Western Union Transfer MTCN: 5815328212″. The attached file is a compresses zip archive WesternUnion_SPL90710021.zip containing the malware WesternUnion_SPL90710021.exe. Please note that the numbers in the subject line and/or attachment and executable can change.

The body of the email contains:

Dear customer!

The money transfer you have sent on the 20th of April wasn’t received by the recipient.
According to the Western Union contract the transfers which are not collected in 15 days are to be returned to sender.
To collect funds you need to print the invoice attached to this e-mail and visit the nearest Western Union branch.

Thank you!

When we submitted the virus sample to Virus Total, on 26/05/2009 at 21:27:10 (UTC), we only had 6 of the 40 AV engines detecting the malware. When looking at the details and virus naming we assume that they are being detected by some heuristic features that the AV engines have: Gen:Trojan.Heur.3004FB9EBC (BitDefender, GData), Suspicious file (Panda), (Suspicious) – DNAScan (CAT-QuickHeal). A-Squared and Microsoft have a real virus name: Gen.Trojan!IK and TrojanDownloader:Win32/Bredolab.G.

The trojan will create the following files:

%AppData%\wiaserva.log 
 %Temp%\WER699f.dir00\appcompat.txt 
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp 
%Temp%\WER699f.dir00\manifest.txt 
%System%\wbem\grpconv.exe 

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total permalink and MD5 hash: 53d15dc652a2534572981bab1e2eddf3.

Filed under Viruses Tagged with , , , , ,

New version of the Zbot-I trojan

May 17, 2009 by mxlab Leave a Comment

A message with the subject line “Fwd: Look and tell…” that has been intercepted by the zero hour anti virus at MX Lab caught our attention. When submitting the details to Virus Total, only 14 of the 40 AV engines did detect this one. The email has the ZIP file attached named Info04.zip and when extracted we got Info04.Doc_[lots of underscores]_…_.exe.

The body of the email:

Hello, webmaster.

I received it with my morning mail but it seems to me everything is yours.
Look and tell to delete it or don’t.


Best regards,
webmaster mailto:webmaster@sylvia-gerl.net

This version of malware itself doesn’t do much harm when looking to the activity. It will create a new file%Temp%\svchost [file and pathname of the sample #1], create a new service svchost.exe, add one Windows registry.

Virus Total permlink and MD5:16a2124b53d9d4746c77b9682a795e36.

Filed under Viruses Tagged with , , , ,

WorldPay emails contain attached mailware

April 24, 2009 by mxlab Leave a Comment

Take extra attention when receiving messages with the subject ”WorldPay CARD transaction Confirmation” claiming that your invoice is attached to the email as a ZIP file.

MX Lab intercepted emails with malware attached. The From address doesn’t belong to WorldPay at all and is spoofed randomly. This is the contents of the body:

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.

Sincerely, 
Amazon Team

This confirmation only indicates that your transaction has been processed successfully. 
It does not indicate that your order has been accepted. 
It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

The malware is known as Trojan-Spy:W32/Zbot.OSK (F-Secure), Trojan-Spy.Win32.Zbot.sot (Kaspersky), PWS:Win32/Zbot.M (Microsoft) or Mal/EncPk-HZ (Sophos).

The threat has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

VirusTotal permlink and MD5: d4131d5a287bce49ddb3a4f9db7e7dc1.

Filed under Viruses Tagged with , , ,

ZBot in “PayPal Rechnung”

August 4, 2008 by mxlab Leave a Comment

A new ZBot variant appears in PayPal “Rechnung” emails. The attached files contains the ZBot malware variant, at this moment, only detected by 3 anti virus angines out of the 36 on Virus Total 7 PM local Belgian time. This type of distribution was also detected late June by MX Lab.

The content of the malware emails

Sehr geehrte Kunden,

Ihr Auftrag Nr. SP4323451 wurde erfullt.
Ein Betrag von 6789.46 EURO wurde abgebucht und wird in Ihrem Bankauszug als “Paypalabbuchung ” angezeigt.

Sie finden die Details zu der Rechnung im Anhang

PayPal (Europe) 
S.031; r.l. & Cie, S.C.A.
46-31 Boulevard Royal
L-1472 Luxembourg

Hochachtungsvoll,
Vertretungsberechtigter: Christopher Darden
Handelsregisternummer: R.C.S.  B 734 037

Trojan-Spy.Zbot is a rootkit trojan which steals online banking information and downloads other malware as well. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

The malware seems to have it’s origin in Russia and also connects to a Russian web site at http://*******.ru/millioner/millionertest.bin. It also creates some files on the system like ntos.exe and it modifies te registry.

Virus Total permalink and the MD5 hash is 606ab42e4c906f933bc9c5ab62b798d9.

Filed under Viruses Tagged with , , , , , , ,

Older posts