BitDefender weekly review

The celebrity's passing is a goldmine for spammers. They can easily lure unsuspecting victims to click links or open attachments, both vectors of infection for malware. This weeks highlight: Our famous banker, Trojan.Spy.Zbot.


The malware
spreads by sending itself as attachments in spam messages.

particular version of Zbot is, again, a repacked version of Trojan.Spy.ZBot.UI,
which injects code in winlogon.exe allowing it to create files and
connect to the Internet undetected. Making use of this, it creates a copy of
itself into %windir%system32sdra64.exe, adding garbage to the executable
so it has a different size and md5 hash, a rather shy attempt of av-evasion. It
also creates a folder called lowsec in the same folder in which it will
write 3 files containing encrypted data: local.ds, user.ds and user.ds.lll

In local.ds
it saves a file which is downloaded from http://lab[removed].com/lbrc/lbr.bin.
This file contains configuration information like: URL to download new
versions, URLs to sniff login data from (mostly online banking websites) and
where to send that info.

user.ds is
a file in which all the spied information is stored. The information will be
sent via web to the author of the Trojan. Zbot.UI also keeps a backup of this
file in user.ds.lll

In order to
run at every system startup the Trojan makes changes to certain registry
entries. I also marks it’s presence on the computer by creating the following
mutex: __SYSTEM__64AD0625__, _AVIRA_2109, _AVIRA_2108, _AVIRA_210999,

The spam
this e-threat was made to send out is related to the recent Michael Jackson wave.
It has the subject “Who killed Michael Jackson?” and the message is the


Jackson Was Killed…


            But Who
Killed Michael Jackson?


X-Files to see the answer:





This is a
generic detection for several HTML files which adware like Adware.Downloader.Navipromo.B or Adware.LivePlayer.A use to download.

The files
contain an embedded executable which is dropped in %windir%system32 and is
detected as adware as well. The name of the executable is specified in the
downloaded HTML file and is generated randomly.

To avoid
detection, the executables will run only if certain parameters are specified,
parameters that are known only to the downloaders.

in this article is available courtesy of BitDefender virus researchers: Dana
Stanut and Ovidiu Visoiu