Recently this malware appeared in the wild as an executable attached to e-mail spam messages with the subject that starts with:
The email contains information that a package has not been delivered to the receiver due to an incorrect address. The email message also includes an attachment claiming to be details of the package that didn't make it to the receiver. It's a very common social engineering trick to get the receiver to download the attachment.
In this case, the attachment will be an archive that has the name Post_Express_Label_[random_alphanumeric].zip.
On extracting the archive there will be an executable inside that holds the name Post_Express_Label.exe, which is detected as Mal/Zbot-AV.
The malware attachment, Mal/Zbot-AV, is a maliciously packed Fake AV downloader. Normally it has a Microsoft Word icon to try to convince users to run it. Once run, Mal/Zbot-AV it tries to download an MS Word file from http://interviewbuy.ru/forum/document.com and then open it. It then deletes itself.
The document contains some bogus information about a package that has supposedly arrived at the post office for you. This file will be downloaded to %MY_DOCUMENTS%\document.doc.
Mal/Zbot-AV will also drop more malware on the system in the following locations:
%INTERNET_CACHE%\Content.IE5\[Random Name Dir]\load[1-5].htm
Mal/Zbot-AV will also add the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Startup %PROFILE%\Application Data\temp.js
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup %PROFILE%\Application Data\Startup.js
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce sd cmd.exe /c del "%PROFILE%\Local Settings\Temp\[Random].tmp"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell %PROFILE%\Application Data\palladium.exe
Mal/Zbot-AV uses the executables in %PROFILE%\Local Settings\Temp as placeholders for the downloaded data. The data comes from http://interviewbuy.ru/forum/load.php?file=[1-9].
Finally after going through all the files on the domain, the malware makes an http request to: hxxp : // interviewbuy . ru / forum / load . php?file = ftpgrabber hxxp : // interviewbuy . ru / forum / load . php?file = pokergrabber
When the last .tmp file in %PROFILE%\Local Settings\Temp\ runs, a copy is placed in %PROFILE%\Application Data\palladium.exe.
%PROFILE%\Local Settings\Temp\[Random].tmp %PROFILE%\Application Data\palladium.exe %PROFILE%\Application Data\[Random].exe
All are detected as Troj/FakeAV-CQF. The files %PROFILE%\Application Data\startup.js and %PROFILE%\Application Data\temp.js are detected as Troj/Dwnldr-IUY. The file %SYSTEM%\dll is detected as Troj/Patched-Y. The file %SYSTEM%\[Random].dll is detected as Mal/Agent-RW.
The Microsoft HTML application that Troj/Dwnldr-IUY tries to execute using Microsoft HTML Application host (mshta.exe) is detected as Mal/FakeAvJs-A.