You have received an eCard = Zeus Trojan
We have detected a new wave of email messages that contain a ZIP archive attached named ecard.zip and that in real it is a malware and it contains the dangerous Zeus Trojan, that is commonly used to steal bank accounts.
The file extracted from the ZIP archive is named ecard.exe:
Report date: 7.2.2010 at 13.08.05 (GMT 1)
File name: ecard.exe
File size: 94208 bytes
MD5 Hash: 859b6786b551c1c7672f361447c0f481
SHA1 Hash: 3533D767771605BD647FFA9096A63F39B6C12A45
Detection rate: 19 on 19
Status: INFECTEDa-squared – Trojan-Spy.Win32.Zbot!IK
Avira AntiVir – TR/Crypt.ZPACK.Gen
Avast – Win32:Zbot-LVW [Trj]
AVG – Win32/Cryptor
BitDefender – Backdoor.Bot.104112
ClamAV – Trojan.Spy.Zbot-40
Comodo – TrojWare.Win32.TrojanSpy.Zbot.Gen
Dr.Web – Trojan.PWS.Panda.122
F-PROT6 – W32/Trojan3.BCN
G-Data – Trojan-Spy.Win32.Zbot.zur A
Ikarus T3 – Trojan-Spy.Win32.Zbot
Kaspersky – Trojan-Spy.Win32.Zbot.zur
McAfee – PWS-Zbot trojan
NOD32 – Win32/Spy.Zbot.JF
Panda – Trj/Sinowal.WLU
Solo Antivirus – Trojan.Spy.Win32.Zbot.Zur
Sophos – Troj/Agent-KQH
VBA32 – Trojan-Spy.Win32.Zbot.zur
VirusBuster – TrojanSpy.Zbot.KZW
When the program is executed, it creates the following files:
1 | C:\WINDOWS\system32\sdra64.exe |
The program injects code into the system process named winlogon.exe and it creates the following registry entries:
1 2 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, |
The subjects of the malicious emails are always the same:
You have received an eCard
You have received a postcard
You’ve received an eCard
You’ve received a postcard
This is the message of the emails:
Good day.
You have received an eCardTo pick up your eCard, open attached file
Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!We hope you enjoy you eCard.
Thank You!
Headers of the emails:
Received: from KKHTNFB (unknown [210.183.62.81])
Received: from 210.183.62.81 by mail.sasun.net
Pay always attention when you open emails in your inbox, if you receive a similar email and the attached file is a ZIP archive named ecard.zip or postcard.zip, ignore the email.
Leave a Reply