Bogus Microsoft Outlook Reconfiguration E-mails Install Zbot’s New Variant

According to some security researchers, a new edition of Zbot is utilizing a spam campaign which talks about Microsoft Outlook configuration for propagation, as reported by SOFTPEDIA on June 19, 2009.

Security researchers have claimed that criminals behind this campaign have extended their lists of potential victims by including TheBat! users.

In the starting of June 2009, cyber criminals who developed the notorious Zbot malware decided to change the theme of their campaigns. They sent spam e-mails falsely talking about the reconfiguration of Outlook Express or Microsoft Outlook.

One of the campaigns included directing the e-mail recipient to a phony web page where he was asked to feed in his configuration information including username and password. In another campaign, malware distributors attached a .zip file with the e-mail that asked the recipient to open the file for reconfiguration of Microsoft Outlook. In reality, the .zip file contained a Zbot installer.

Sophos has given name to this file - "Troj/Bckdr-QVN" and has asserted that all the URLs related to this campaign have been totally removed from the Internet. However, it has expressed doubt that they may reemerge in future as attackers' have the potential to establish separate hosts to propagate malicious files.

Alex Eckelberry, Chief Executive Officer, Sunbelt Software, said that these attacks were modified to include clients of TheBat!, as reported by SUNBELT Blog on June 11, 2009.

Eckelberry also added that malware distributors had expanded their target base, but the bot seemed to get confused, meddling in TheBat! with Outlook Express and Outlook.

Vanja Svajcer, Principal Virus Researcher, Sophos, said that the new malicious campaign made its mark on the Internet on June 16, 2009 with the sole purpose of spreading links to malicious file, as reported by SOFTPEDIA on June 19, 2009. Although several URLs seem to be used for spreading malware, the file name remains same called Outlook_update.exe," said Svajce.

After studying the file in automated analysis environment, Svajcer concluded that it was a new variant of Zbot.

This indicates to cyber crooks' consistent efforts of searching innovative, sophisticated and advanced tricks of installing malicious programs on users' computers or handing over their sensitive financial and personal information.

Related article: Bugs Swell In Browsers in 2006

» SPAMfighter News - 6/26/2009