Fake Outlook update – New ZBot (June 23, 2009)

SonicWALL UTM Research team observed a fake Critical Update for Microsoft Outlook spam. The email has a link to a spoofed Microsoft security website which serves a new ZBot Trojan variant.

ZBot is a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. Read more about Zeus/Zbot Trojan Family here: https://www.mysonicwall.com/SonicAlert/index.asp?ev=article&id=132

This malware is 83,456 bytes in size.

When executed it creates the following files on the system:

• %System%lowseclocal.ds
• %System%lowsecuser.ds
• %System%lowsecuser.ds.lll
• %System%sdra64.exe

It modifies registry:

  Userinit = "%System%userinit.exe,%System%sdra64.exe," 

so that sdra64.exe runs every time Windows starts

It creates registry entries:

  UID = "%ComputerName%_0004DCC0"  and    ProxyEnable = 0x00000000 

The e-mail looks like:

The Trojan is also known as trojan Trojan-Spy.Win32.Zbot.xdj , Mal/Zbot-O and Trojan.Spy.LooksLike.ZBot

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.XDJ (Trojan) signature.