New Wave of Zbot Trojan

McAfee Labs detected a new wave of the PWS-Zbot (a.k.a Zeus) spam campaign this week.
Some common phrases used in the email subject headers:

Subject: Sales Dept
Subject: Another candidate brought to you
Subject: Summary of payments

These emails carried PWS-Zbot Trojan variants that are a part of the 2.x version of the Zeus botnet, and currently try to access the following URLs:

hxxpS://193.104.{blocked}/box1/master.tmp
hxxpS://193.104.{blocked}/box1/1.gif
hxxpS://193.104.{blocked}/box1/update.php
hxxpS://cisco-update-{blocked}.com/box1/1.gif (currently offline)

This variant also exhibits rootkit behavior, hooking Windows APIs to prevent users from seeing some of the files.
Examples of such hooks are:
ntdll.dll!NtCreateThread
USER32.dll!TranslateMessage
ntdll.dll!NtQueryDirectoryFile
ntdll.dll!LdrLoadDll
ntdll.dll!LdrGetProcedureAddress
ntdll.dll!NtCreateThread
USER32.dll!GetClipboardData
This variant also uses HTTPS as the communication protocol with the remote servers to download encrypted data. In some instances, it was also found to patch termsrv.dll to bypass authentication while connecting to the machine via Remote Desktop.
The SSL Certificate used by the server is self-signed with default parameters and a date of July 13, exactly one month from today.
Further details of the Zbot or Zeus Trojan family are available at the Virus Information Library.
Update: We have noticed that some reports refer to the current wave of PWS-Zbot as “Zeus v3.” To clarify: The current Zbot variants are generated by the “v2 toolkit” and its variants. The Zbot Trojan has evolved from the “v1 toolkit”–which generated the 1.x.x to 1.3.x variants–to the “v2 toolkit,” which underlies the current versions.