Fake Amazon order – New Zbot variant (May 14, 2010)

SonicWALL UTM Research team discovered a new Zbot spam campaign involving fake order payment e-mail from Amazon. The e-mail informs the user to download the attached file which it claims to be a document containing order tracking number.

The e-mail contains malicious executable file inside the zip attachment that has an icon disguised as a Microsoft Word document. This malware executable is a new variant of Zbot Trojan.

The e-mail message looks like:

The downloaded fake tracking number document looks like:

If the user tries to open this document file, it performs the following activities:

• Connects to a malicious domain hulejsoops.ru which is a Zbot Command & Control (C&C) server and sends following HTTP requests:
  • GET /images/bb.php?v=2(REMOVED)m=40
  • GET /images/bb.php?v=2(REMOVED)m=41

• Uppon successful connection & authentication to the C&C server it receives following command strings to further download additional malware as well as encrypted configuration file:

  

• Based on above command strings, it downloads and executes all or some of these files based on the victim machine:
  • (SYSTEM)lowseclocal.ds
  • (SYSTEM)lowsecuser.ds
  • (SYSTEM)lowsecuser.ds.lll
  • (SYSTEM)sdra64.exe
  • (SYSTEM)thxr.wgo
  • (SYSTEM)ustftqmbt.exe

• Registry modifications in order to ensure that the malware executes on each system reboot:
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "(SYSTEM)userinit.exe,(System)sdra64.exe,"
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunustftqmbt: "(SYSTEM)ustftqmbt.exe"
• Downloads configuration file konf1.bin from one of the URLs found in the command string received from C&C server.
• Deletes the original copy of the file.

The Trojan has very low AV detection at the time of writing this alert and is also known as Trojan.Win32.VBKrypt.td and Mal/Koobface-E .

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.TD (Trojan) signature.