Follow AppRiver

AppRiver Posts In Your Inbox

Your email:

Browse by Tag

Current Articles | RSS Feed RSS Feed

Evasive Malware Delivered In Fake BBB Complaint

 

Malicious emails claiming to be from the Better Business Bureau have been hitting our spam and virus filters en-masse today. These messages attempt to convince the recipient that the BBB has received a complaint from a customer and that it the file attached to the email contains a summary of the complaint. You are instructed to open and read the attached “report” and reply with your response to the claim. The problem is that the “report” is actually an executable file that contains a nasty Trojan/Virus.

Here is a look at the message:

Preliminary examination of the file indicates that it is a variant of the ever popular Zeus or Zbot. However, some behaviors differ slightly from some of the most recent Zbot infections we have examined. Once this variant launches and hides itself it does a good job of disarming the host machine by making the following changes :

Disables the TaskManager:

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem"DisableTaskMgr" = 0x00000001

Malware disabling signed binary check:

REGISTRYUSERS-1-5-21-2861947270-1595359862-2473858597-1000SoftwareMicrosoftInternet ExplorerDownload"CheckExeSignatures" = no

Malware modifying windows explorer settings:

REGISTRYUSERS-
1-5-21-2861947270-1595359862-2473858597-1000SoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments"SaveZoneInformation" = 0x00000001

Malware reduced executable download risk

REGISTRYUSERS-
1-5-21-2861947270-1595359862-2473858597-1000SoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations"LowRiskFileTypes" = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi,.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;

Communication is observed with the following domains:

  • unocardgam(dot)com
  • whatisadebima(dot)com
  • wisudarel(dot)com
  • fokuslol(dot)com
  • froukloro(dot)com

Currently only 9 of 42(21%) AV providers are identifying this threat as malicious and in the past 24 hours we have seen nearly one half million of these messages hit our filters. The Zbot or Zeus malware family has been stealing money from people’s bank accounts and other sensitive logins since 2008. In addition to capturing your bank account login credentials Zeus has been known to steal Facebook logins as well. In addition to information theft, Zbot also hijacks your machine and enslaves it to a botnet. Avoid falling for this attack and if your ever in doubt pick up the phone and call the sender to see if it is real.

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics