Malware City/Blog/

Jul
03
Filed Under:
WEEKLY REVIEW

BitDefender weekly review – ZBot uses Michael Jackson to spread

03 July 2009
The celebrity's passing is a goldmine for spammers. They can easily lure unsuspecting victims to click links or open attachments, both vectors of infection for malware. This weeks highlight: Our famous banker, Trojan.Spy.Zbot.

Trojan.Spy.ZBot.VG

The malware spreads by sending itself as attachments in spam messages.

This particular version of Zbot is, again, a repacked version of Trojan.Spy.ZBot.UI, which injects code in winlogon.exe allowing it to create files and connect to the Internet undetected. Making use of this, it creates a copy of itself into %windir%\system32\sdra64.exe, adding garbage to the executable so it has a different size and md5 hash, a rather shy attempt of av-evasion. It also creates a folder called lowsec in the same folder in which it will write 3 files containing encrypted data: local.ds, user.ds and user.ds.lll

In local.ds it saves a file which is downloaded from http://lab[removed].com/lbrc/lbr.bin. This file contains configuration information like: URL to download new versions, URLs to sniff login data from (mostly online banking websites) and where to send that info.

user.ds is a file in which all the spied information is stored. The information will be sent via web to the author of the Trojan. Zbot.UI also keeps a backup of this file in user.ds.lll

In order to run at every system startup the Trojan makes changes to certain registry entries. I also marks it's presence on the computer by creating the following mutex: __SYSTEM__64AD0625__, _AVIRA_2109, _AVIRA_2108, _AVIRA_210999, _H_64AD0625_

The spam this e-threat was made to send out is related to the recent Michael Jackson wave. It has the subject "Who killed Michael Jackson?" and the message is the following:

 

            Michael Jackson Was Killed...

 

            But Who Killed Michael Jackson?

 

            Visit X-Files to see the answer:

 

            http://MJac[removed]ij.com/x-files

 

Trojan.Skintrim.HTML.A

This is a generic detection for several HTML files which adware like Adware.Downloader.Navipromo.B or Adware.LivePlayer.A use to download.

The files contain an embedded executable which is dropped in %windir%\system32 and is detected as adware as well. The name of the executable is specified in the downloaded HTML file and is generated randomly.

To avoid detection, the executables will run only if certain parameters are specified, parameters that are known only to the downloaders.

Information in this article is available courtesy of BitDefender virus researchers: Dana Stanut and Ovidiu Visoiu




Article rating:

  • Share our story:
  • Share on Twitter

Related

26-06-2009 | BitDefender weekly review – ZBot is still around

19-06-2009 | BitDefender weekly review – Don't judge a book by its cover

12-06-2009 | BitDefender weekly review – The Cutwail botnet. A little insight

29-05-2009 | BitDefender weekly review – MSN spreading batch worm

Comment on this

Name:

Email:

Website:

Your email adress will not be published.