ZBot trojan appears in emails on how to beat the S&P500


We all want to gain some revenue and for some people, buying and selling stocks is the way to do it. What if you receive an email with information on the top 3% stocks to buy. Sounds interesting, well, let’s find out.

MX Lab, http://www.mxlab.eu, intercepted some emails with the subject “How To Beat The S&P500 By 5,420 pc Or MORE?, Wed, 7 Dec 2011 15:26:29 +0100, MAAIGNCPV5”.

The subjects looks very familiar and could be compared to the latest trojan distribution campaigns that we have seen with the account information from Verizon Wireless or the Adobe Critical Upgrade notification. The subjects comes along with a date stamp and a randomly generated letter and number combination.

The email is send from the spoofed addresses, in our case from the domain vzw.com and has the following body:

Hello Dear!

As you probably know, there are over 7,000 stocks to choose from on just the U.S. exchanges alone…
But what you might NOT know is that about 97% of these stocks are PURE POISON for your portfolio, meaning that the odds are stacked AGAINST you before you even place a trade. Recently, one of the most respected trading experts in our community discovered a way to automatically FILTER OUT the ‘poison’ stocks and leave you with:
* The Top 3% that offer the most profit potential every time you trade.

Feel free refer to attach for more detailed information!

Thanks a lot!

The attached ZIP file has the name 97_percents_poison_stocks_overview_report-19560.zip and contains the 200 kB large file 97_percents_poison_stocks_overview_report.exe.

The trojan is known as TR/Spy.ZBot.oke (AntiVir), Trojan.Generic.KDV.461730 (BitDefender), Trojan-Spy.Agent!IK (Emsisoft), Trojan-Spy.Win32.Zbot.crnn (Kaspersky), PWS-Zbot.gen.hb (McAfee), Trojan.Zbot (Symantec).

At the time of writing, 17 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 67a24430319bb92f3113d752c84d4a87.