AntiVirus2008 & Zbot - presents from Irina

Filed Under: Malware, SophosLabs

Earlier on today we started seeing a malicious Trojan dropper being sent out via spam. Messages hitting our spam traps carrying the malicious attachment bore rather predictable social engineering, in this case purporting to be from a lady called Irina:

irina-email.png

The attachments is a ZIP file (photo.zip) which contains a single executable attachment. This is a malicious Trojan dropper, detection for which has been added as Troj/Mdrop-BUP.

And the purpose of Irina's little gift? When the file is run, a photo (supposedly of Irina) is displayed:

irina_f.png

The desktop background is changed, to display a fake warning message:

irina2.jpg

In the background, two pieces of malware are silently installed, both from notorious families that have been very active recently.

  • Zbot. A variant of this stealthing bot is dropped (to the system folder as ntos.exe). Fortunately, it is proactively detected as Troj/Zbot-L.
  • AntiVirus 2008. Another variant of this family that displays fake infection reports to the victim in order them to trick them into buying the fake security product. Detection for this component is thin on the ground, but Sophos proactively detects as Mal/EncPk-CZ.

Whether there are links between the groups behind Zbot and AntiVirus 2008 'scareware' is unknown. I doubt it, more likely someone is simply making money by getting paid to infect victims with each. Don't let your (lack of) security help them.

, ,

You might like