Western Union MTCN trojan

MX Lab just interceped a bunch of emails from Western Union claiming that your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service. Sound really scarry at first.

The senders address is spoofed and random, the subject contains “Western Union MTCN #5993705206”. The numbers and even the subject itself can change during the distribution later on.

The content of the email:


Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.

Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. 42976 since the recipient has been undergoing the international retrieval by the InterPol.

Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.

(The invoice file is attached to this message; please print it out and hand it to our agent.)

You can find the address of the closest Western Union agent on our website at http://www.westernunion.com

Thank you!

First of all, the senders address and the first paragraph of the email must identify this emails as suspicious and dangerous. Did you send a wire to someone in Russia, lately? The chance is quite small I think.

Furthermore, an invoice in a Zip archive that is an executable. Even if your anti virus engine isn’t up to date yet, it should be clear to anyone that this is a virus. Only one anti virus engine, Sophos, detects the trojan at the moment so be carefull.

And yes, our ZBot trojan is back again as a new variant. It’s a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

Some files are created on your system like %System%\oembios.exe (it’s alias is Mal/EncPk-CZ [Sophos]PWS:Win32/Zbot.gen!B [Microsoft]).

The folder %System%\sysproc64 will be created for %System%\sysproc64\sysproc32.sys and %System%\sysproc64\sysproc86.sys. Windows registry is being modified and a connection to an external IP on port 80 is being made to with a GET request bone/no.bin.

Virus Total permalink and MD5: 07b8c31d8519f04103cde011d24c82ec.

10 thoughts on “Western Union MTCN trojan

  1. I recieved a version of this; the MTCN and case numbers were different so building a filter around the numbers is worthless. Perhaps a filter on MTCN might work. Is there some place I should forward it to?


  2. Been hit by this few hours back. I regret i found this blog just after doing a stupidity for the mail attachment which surpassed mailscanner, desktop anti-virus etc.

    had to re-install everything, spent 12 hours being offline doing backups and re-installing.
    Huh wasted my day, NEVER going to open a attachment ever again.

  3. Robert: if you run Sophos Anti-virus trial you will come to know about whether your system is infected or not.

  4. hey i want to be mailing me the whole transactions of western union immediately made before collection of cashs

  5. sir,
    i ave received MTCN NO but my payment has been transfer in othere country so please transfer in my country in INDIA.


    MOBILE NO: +91 9971889388

Comments are closed.