Zbot Spam Campaign Continues
- Friday, October 16, 2009, 0:07
- Threat Research
- 0 views
A slightly modified Zbot spam campaign currently making rounds pretend to come from the IT support of various companies. It informs users that a security update in the mailing service caused changes in their mailbox settings. They are instructed to open the ZIP attachment and run the .EXE file, INSTALL.EXE to supposedly apply the changes. Trend Micro detects this as TROJ_FAKEREAN.CF.
When executed, this Trojan accesses http://{BLOCKED}nerkadosa.com/xIw1yPD0q5Gb8t0br4×6k5sk to download another malicious file detected as TROJ_FAKEREAN.BI.
Spammers usually employed random email address in the FROM and TO field headers but in this case, the actual company domain is used as email addresses in both fields. This is done to make the email message more credible, and convincingly coming internally from the company, thus luring unknowing users into executing the malware.
This attack is a follow-up on the phishing email we blogged earlier this week. The said email purports as a notification from the company’s “system administrator” to update the user’s system because of a server upgrade. Accordingly, the subdomains are tailor-made to make it more legitimate.
Users are encouraged not to open suspicious-looking emails even though it supposedly came from a trusted source. It is also advisable that users contact first their IT or tech support in case they received such emails to verify if indeed a security update had occured. Trend Micro protects users from this attack with its
...Read the original story
