A ZBot trojan variant in emails pretending to come from DHL

We all thought that the days of ZBot trojan are long gone, but maybe it was only our hope and not the reality.

We have started to detect in an aggressive spam campaign with emails pretending to come from DHL, a variant of the ZBot trojan horse detected by Avira as TR/Spy.ZBot.RU.

The email contains a tracking notification and has an archive attached. The only file in the zip archive is an executable with the same name as the archive.

I was quite surprised to see again Zbot popping up via email, so I said that it has to be new.

And to my surprise, scanning the malware with the well know website VirusTotal.com gave me some very interesting results.  It appeared that somebody before me has scanned the file today (5.3.2012 at 15:27 UTC) and the detection was clearly at the beginning:  6 out of 43 antivirus solutions. I didn’t check which antivirus detected it and which didn’t, because I was not performing a detection comparison test.

However, I’ve chosen to analyze it again (5.3.2012 at 21:12 CET), hoping that the situation has dramatically improved. To my surprise, it didn’t, only 13 out of 43 scanners detected the file.

As a conclusion: Zbot is old, but it finds always new methods to get undetected.

Avira users are protected – all our products detect this malware.

Sorin Mustaca

Data Security Expert