Hi, Zbot (also known as Zeus) is an information stealing trojan (infostealer) collecting confidential data from each infected computer. The main vector for spreading Zbot is a spam campaign where recipients are tricked into opening infected attachments on their computer.
This new variant uses a malicious PDF file which contains the threat as an embedded file. When recipients open the PDF, it asks to save a PDF file called Royal_Mail_Delivery_Notice.pdf. The user falsely assumes that the file is just a PDF, and therefore safe to store on the local computer. The file, however, is really a Windows executable. The malicious PDF launches the dropped file, taking control of the computer. At time of writing this file has a 20% anti-virus detection rate (SHA1 : f1ff07104b7c6a08e06bededd57789e776098b1f). The threat creates a subdirectory under %SYSTEM32% with the name "lowsec" and drops the "local.ds" and "user.ds" files. These are configuration files for the threat. It also copies itself into %SYSTEM32% as "sdra64.exe" and modifies the registry entry "%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory. This Zbot variant connects to malicious remote sever in China using an IP address of 59.44.[removed].[removed]:6010. -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
