New ZBot trojan detected in UPS tracking emails


Email messages coming from UPS with the subject “Postal Tracking #FDD4Q22514LDU4N” and the attached file UPS_DOC_986001.zip are part of a new malware distribution by email. MX Lab intercepted the first samples of a new variant that is only detected by 5 of the 40 AV engines of Virus Total.

The body of the email:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

The trojan will create the following files:

%AppData%\wiaserva.log
%Temp%\WER699f.dir00\appcompat.txt
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp
%Temp%\WER699f.dir00\manifest.txt
%System%\wbem\grpconv.exe

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total link and MD5: de90a24f3dfb5c1c8d4a0a3104f3dd4a.

One thought on “New ZBot trojan detected in UPS tracking emails

  1. The 6.0 version of Evidence Eliminator by Robinhood software on its website contains the Zbot trojan and is not detected until after install. Steer clear of it.

Comments are closed.