You have received an eCard = Zeus Trojan

We have detected a new wave of email messages that contain a ZIP archive attached named and that in real it is a malware and it contains the dangerous Zeus Trojan, that is commonly used to steal bank accounts.

The file extracted from the ZIP archive is named ecard.exe:

Report date: 7.2.2010 at 13.08.05 (GMT 1)
File name: ecard.exe
File size: 94208 bytes
MD5 Hash: 859b6786b551c1c7672f361447c0f481
SHA1 Hash: 3533D767771605BD647FFA9096A63F39B6C12A45
Detection rate: 19 on 19

a-squared – Trojan-Spy.Win32.Zbot!IK
Avira AntiVir – TR/Crypt.ZPACK.Gen
Avast – Win32:Zbot-LVW [Trj]
AVG – Win32/Cryptor
BitDefender – Backdoor.Bot.104112
ClamAV – Trojan.Spy.Zbot-40
Comodo – TrojWare.Win32.TrojanSpy.Zbot.Gen
Dr.Web – Trojan.PWS.Panda.122
F-PROT6 – W32/Trojan3.BCN
G-Data – Trojan-Spy.Win32.Zbot.zur A
Ikarus T3 – Trojan-Spy.Win32.Zbot
Kaspersky – Trojan-Spy.Win32.Zbot.zur
McAfee – PWS-Zbot trojan
NOD32 – Win32/Spy.Zbot.JF
Panda – Trj/Sinowal.WLU
Solo Antivirus – Trojan.Spy.Win32.Zbot.Zur
Sophos – Troj/Agent-KQH
VBA32 – Trojan-Spy.Win32.Zbot.zur
VirusBuster – TrojanSpy.Zbot.KZW

When the program is executed, it creates the following files:


The program injects code into the system process named winlogon.exe and it creates the following registry entries:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit:

The subjects of the malicious emails are always the same:

You have received an eCard
You have received a postcard
You’ve received an eCard
You’ve received a postcard

This is the message of the emails:

Good day.
You have received an eCard

To pick up your eCard, open attached file

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

Headers of the emails:

Received: from KKHTNFB (unknown [])
Received: from by

Pay always attention when you open emails in your inbox, if you receive a similar email and the attached file is a ZIP archive named or, ignore the email.

Random Posts

Previous Posts