UPS Invoice Spam (Nov 21, 2008)

SonicWALL UTM Research team observed a new wave of the on-going UPS invoice spam campaign starting Thursday, November 20, 2008. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 1,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: UPSInfo.zip (contains UPSInfo.exe)

Subject: Your Tracking #

Email Body:
------------------------
Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient?s address is not correct.

Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS
------------------------

The executable file inside the zip attachment has an icon disguised as a Adobe PDF file and it looks like following:

The Trojan when executed performs following host level activity:

• Creates a directory twain_32 in C:Documents and SettingsLocalServiceApplication Data and C:WINDOWSsystem32
• Drops a copy of itself as C:WINDOWSsystem32twext.exe
• Creates two files C:WINDOWSsystem32twain_32local.ds and C:WINDOWSsystem32twain_32user.ds

It modifies the following Registry key for running twext.exe:

• HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twext.exe,"

It also tries connect and download an encrypted configuration file from the following URL:

• pavelmoous.ru/pavel/conf.bin

The Trojan is also known as Trojan-Spy.Win32.Zbot.gsv , W32/Trojan3.LA , and TR/Spy.ZBot.gsv

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GSV (Trojan) signature.