MX Lab has been tipped regarding a new 0-day email related virus by Alan Dougherty from the company Synergistix. Thanks for sharing this with us. MX Lab intercepted only one sample of the email so we had the possibility to investigate this.
The email comes from suport@****.com where **** stands for the domain that is being used in the recipient email address. This will make that the receiver thinks it is from the support department of his own company. Now, if you don’t have a support department it should be clear that this is spoofed and that the email must be handled as being suspicious. If you have a support department don’t accept the fact that they will give you instructions on how to install and run executables.
Possible subjects are :
A new settings file for the andre@****.com mailbox
The settings for the andre@****.com mailbox
The body of the email:
Dear user of the beweb.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (andre@b****.com) settings were changed. In order to apply the new set of settings click on the following link:
Best regards, beweb.com Technical Support.
The malware is not attached at the email but the inluded link will take you to a web site where you need to download the .exe file and apply the new settings. The malware listens to the names Trojan-Spy.Win32.Zbot.gen (F-Secure), Mal/Zbot-R (Sophos) or PWS:Win32/Zbot.gen!R (Microsoft). The file itself is about 92 kB big and has the name settings-file.exe.
Regarding ZBot: it is a trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
The trojan will create a file %System%\sdra64.exe and the hidden files %System%\lowsec\local.ds and %System%\lowsec\user.ds in combination with a hidden directory %System%\lowsec. There were new memory pages created in the address space of the system process(es): services.exe, lsass.exe, alg.exe, iexplore.exe and svchost.exe.
Several registry settings are modified and the trojan could make connection to a remote host on the IP 188.8.131.52 on port 80. Data requested is: hxxp://184.108.40.206/livs/rec.php, hxxp://220.127.116.11/lcc/ip1.gif and hxxp://18.104.22.168/ip.php.
In the sample from Alan Dougherty was the domain oikkkkuy.co.uk in use and ur sample contained bertdffm.co.uk. These domains are registered by the same licensee today and already offline. These are so called fast-flux domains.
With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux domains use a large number of servers and a fast-changing domain A record to turn shutdown attempts into a game.
Domain name: bertdffm.co.uk Registrant: Evelyn Wilson Registrant type: Non-UK Individual Registrant's address: 805 E. Stocker paris 68554 Belgium Registrar: Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG] URL: http://www.123-reg.co.uk Relevant dates: Registered on: 14-Oct-2009 Renewal date: 14-Oct-2011 Last updated: 14-Oct-2009 Registration status: Registration request being processed. Name servers: No name servers listed. WHOIS lookup made at 16:46:50 14-Oct-2009
At the time of writing, Virus Total gives us the fact that only 6 of the 41 AV engines detect the new ZBot variant. Virus Total permlink and MD5: 06085157775a67575c8a40ba934af2d2.
[Update – 20/10/2009 – 4:25 PM Local Belgian time] Following domains are being used to host the malware:
This will not be a full list of all malicious URLs.
For the domain nerrasssx.eu we have the following list of A records:
nerrasssx.eu. 1800 IN A 22.214.171.124 nerrasssx.eu. 1800 IN A 126.96.36.199 nerrasssx.eu. 1800 IN A 188.8.131.52 nerrasssx.eu. 1800 IN A 184.108.40.206 nerrasssx.eu. 1800 IN A 220.127.116.11 nerrasssx.eu. 1800 IN A 18.104.22.168 nerrasssx.eu. 1800 IN A 22.214.171.124 nerrasssx.eu. 1800 IN A 126.96.36.199 nerrasssx.eu. 1800 IN A 188.8.131.52 nerrasssx.eu. 1800 IN A 184.108.40.206 nerrasssx.eu. 1800 IN A 220.127.116.11 nerrasssx.eu. 1800 IN A 18.104.22.168 nerrasssx.eu. 1800 IN A 22.214.171.124 nerrasssx.eu. 1800 IN A 126.96.36.199 nerrasssx.eu. 1800 IN A 188.8.131.52
For the domain nerrasssb.eu we have the following list of A records:
nerrasssb.eu. 1800 IN A 184.108.40.206 nerrasssb.eu. 1800 IN A 220.127.116.11 nerrasssb.eu. 1800 IN A 18.104.22.168 nerrasssb.eu. 1800 IN A 22.214.171.124 nerrasssb.eu. 1800 IN A 126.96.36.199 nerrasssb.eu. 1800 IN A 188.8.131.52 nerrasssb.eu. 1800 IN A 184.108.40.206 nerrasssb.eu. 1800 IN A 220.127.116.11 nerrasssb.eu. 1800 IN A 18.104.22.168 nerrasssb.eu. 1800 IN A 22.214.171.124 nerrasssb.eu. 1800 IN A 126.96.36.199 nerrasssb.eu. 1800 IN A 188.8.131.52 nerrasssb.eu. 1800 IN A 184.108.40.206 nerrasssb.eu. 1800 IN A 220.127.116.11 nerrasssb.eu. 1800 IN A 18.104.22.168