You have received an eCard = Zeus Trojan

Posted by on Sunday, February 7th, 2010  |  6,812 views

We have detected a new wave of email messages that contain a ZIP archive attached named ecard.zip and that in real it is a malware and it contains the dangerous Zeus Trojan, that is commonly used to steal bank accounts.

The file extracted from the ZIP archive is named ecard.exe:

Report date: 7.2.2010 at 13.08.05 (GMT 1)
File name: ecard.exe
File size: 94208 bytes
MD5 Hash: 859b6786b551c1c7672f361447c0f481
SHA1 Hash: 3533D767771605BD647FFA9096A63F39B6C12A45
Detection rate: 19 on 19
Status: INFECTED

a-squared – Trojan-Spy.Win32.Zbot!IK
Avira AntiVir – TR/Crypt.ZPACK.Gen
Avast – Win32:Zbot-LVW [Trj]
AVG – Win32/Cryptor
BitDefender – Backdoor.Bot.104112
ClamAV – Trojan.Spy.Zbot-40
Comodo – TrojWare.Win32.TrojanSpy.Zbot.Gen
Dr.Web – Trojan.PWS.Panda.122
F-PROT6 – W32/Trojan3.BCN
G-Data – Trojan-Spy.Win32.Zbot.zur A
Ikarus T3 – Trojan-Spy.Win32.Zbot
Kaspersky – Trojan-Spy.Win32.Zbot.zur
McAfee – PWS-Zbot trojan
NOD32 – Win32/Spy.Zbot.JF
Panda – Trj/Sinowal.WLU
Solo Antivirus – Trojan.Spy.Win32.Zbot.Zur
Sophos – Troj/Agent-KQH
VBA32 – Trojan-Spy.Win32.Zbot.zur
VirusBuster – TrojanSpy.Zbot.KZW

When the program is executed, it creates the following files:

1

C:\WINDOWS\system32\sdra64.exe

The program injects code into the system process named winlogon.exe and it creates the following registry entries:

1
2

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit:
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

The subjects of the malicious emails are always the same:

You have received an eCard
You have received a postcard
You’ve received an eCard
You’ve received a postcard

This is the message of the emails:

Good day.
You have received an eCard

To pick up your eCard, open attached file

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

Headers of the emails:

Received: from KKHTNFB (unknown [210.183.62.81])
Received: from 210.183.62.81 by mail.sasun.net

Pay always attention when you open emails in your inbox, if you receive a similar email and the attached file is a ZIP archive named ecard.zip or postcard.zip, ignore the email.

Posted by on Sunday, February 7th, 2010 at 1:37 pm and filed under Spam with tags , , . You can skip to the end and leave a response. Pinging is currently not allowed.

Random Posts

Previous Posts