MX Lab has been tipped regarding a new 0-day email related virus by Alan Dougherty from the company Synergistix. Thanks for sharing this with us. MX Lab intercepted only one sample of the email so we had the possibility to investigate this.

The email comes from suport@****.com where **** stands for the domain that is being used in the recipient email address. This will make that the receiver thinks it is from the support department of his own company. Now, if you don’t have a support department it should be clear that this is spoofed and that the email must be handled as being suspicious. If you have a support department don’t accept the fact that they will give you instructions on how to install and run executables.

The subject of the email is in the format “A new settings file for the andre@****.com mailbox” and this is the body of the email:

Dear user of the beweb.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (andre@b****.com) settings were changed. In order to apply the new set of settings click on the following link:

hxxp://b****.com/owa/service_directory/settings.php?email=andre@b****.com=b****.com=andre

Best regards, beweb.com Technical Support.

The malware is not attached at the email but the inluded link will take you to a web site where you need to download the .exe file and apply the new settings. The malware listens to the names Trojan-Spy.Win32.Zbot.gen (F-Secure), Mal/Zbot-R (Sophos) or PWS:Win32/Zbot.gen!R (Microsoft). The file itself is about 92 kB big and has the name settings-file.exe.

Regarding ZBot: it is a trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The trojan will create a file %System%\sdra64.exe and the hidden files %System%\lowsec\local.ds and %System%\lowsec\user.ds in combination with a hidden directory %System%\lowsec. There were new memory pages created in the address space of the system process(es): services.exe, lsass.exe, alg.exe, iexplore.exe and svchost.exe.

Several registry settings are modified and the trojan could make connection to a remote host on the IP 195.93.208.106 on port 80. Data requested is: hxxp://195.93.208.106/livs/rec.php, hxxp://195.93.208.106/lcc/ip1.gif and hxxp://195.93.208.106/ip.php.

In the sample from Alan Dougherty was the domain oikkkkuy.co.uk in use and ur sample contained bertdffm.co.uk. These domains are registered by the same licensee today and already offline. These are so called fast-flux domains.

With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux domains use a large number of servers and a fast-changing domain A record to turn shutdown attempts into a game.

Domain name:
         bertdffm.co.uk

     Registrant:
         Evelyn Wilson

     Registrant type:
         Non-UK Individual

     Registrant's address:
         805 E. Stocker
         paris
         68554
         Belgium

     Registrar:
         Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
         URL: http://www.123-reg.co.uk

     Relevant dates:
         Registered on: 14-Oct-2009
         Renewal date:  14-Oct-2011
         Last updated:  14-Oct-2009

     Registration status:
         Registration request being processed.

     Name servers:
         No name servers listed.

     WHOIS lookup made at 16:46:50 14-Oct-2009

At the time of writing, Virus Total gives us the fact that only 6 of the 41 AV engines detect the new ZBot variant. Virus Total permlink and MD5: 06085157775a67575c8a40ba934af2d2.