This blog reports on a variant of the ZBot trojan that’s making its way through the tubes of the internet. It’s a classic scam, where the bad guys pose as, in our case, lmi.net tech support. They send you a link via email. The link is obfuscated to make it look like it points to an lmi.net server, but the actual link is to a server off-site. The server has several IP addresses, so that if one is shut down, you may still have a hope of infecting your system. The link leads to a page that tells you to download an executable called YOURNAME-settings.exe.

If you download the exe file and run it, it does a bunch of fun stuff. From the previously mentioned blog:

Regarding ZBot: it is a trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The trojan will create a file %System%\sdra64.exe and the hidden files %System%\lowsec\local.ds and %System%\lowsec\user.ds in combination with a hidden directory %System%\lowsec. There were new memory pages created in the address space of the system process(es): services.exe, lsass.exe, alg.exe, iexplore.exe and svchost.exe.

Several registry settings are modified and the trojan could make connection to a remote host on the IP 195.93.208.106 on port 80. Data requested is: hxxp://195.93.208.106/livs/rec.php, hxxp://195.93.208.106/lcc/ip1.gif and hxxp://195.93.208.106/ip.php.

This is nasty stuff. Always be sure to write back to us if you think we’ve sent you an email request for your password, or to download any file at all, and make sure you’re responding to an lmi.net address – a lot of these emails include a reply-to address different than the from address.