Endpoint Protection

 View Only

Spam Carrying Malicious Infostealer 

Aug 13, 2010 11:56 AM

Symantec Security Response is currently monitoring a wave of email spam that contains a threat detected by Symantec as Trojan.Zbot. This Trojan arrives as a .zip attachment in an email that purports to contain a legitimate attachment, such as a birthday invitation, photos, or resume. However, the attached zipped executable file is a malicious threat. The attachment file size is 119 KB and can have a pseudo-random file name such as “lance armstrong.zip,” “NH ESS Access Guidelines (2).zip,” “pricing.zip,” “invitation.zip,” “Resume.zip,” “Allhotels.zip,” "ARICertificate-C4H736 + FVM4X48.zip," or "Inv 2985 Cool Cash App.zip."

This Trojan has primarily been designed to steal confidential information, such as online credentials or banking details, but it can be customized to gather any sort of information from the compromised machine. 

The email may have one of the following subject lines:

Subject: Beauty and the Geek 2
Subject: fill this Passport Form
Subject: First Birthday Invitation
Subject: In USA on August 15 and 16
Subject: Picture sizes
Subject: Resume & Coverletter - Feedback
Subject: Status
Subject: Employee Orientation
Subject: Your reservation is confirmed - Ref: 00338/058758
Subject: Garages
Subject: Picture sizes
Subject: Another candidate brought to you
Subject: Sales Dept

Data gathered in the Symantec Probe Network shows that .zip attachment spam fluctuated around six percent of total spam until August 5. On August 8, the volume spiked up to 13 percent of total spam:

Symantec is protecting its customers with predictive heuristics, by publishing new security definitions, and designing “Dayzero” filters for early detection of viruses and worms. We caution users not to open or click on the links or attachments in emails such as these, and be suspicious of unsolicited email that contains attachments or links. Symantec recommends having anti-spam and antivirus solutions installed and up to date to prevent the compromise of personal machines or networks.


Note: (20 August 2010) This blog has been updated to include the data trending graph.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.