9 replies to this topic

[Malhunter]

We're seeing a well crafted phishing email being sent around to various government agencies with a link to
dnicenter.com/docs/report.zip

Zip file contains an executable, which when able to run and infect, makes a call to
updatekernel.com/imgpic/x18d2/d8x16/x98x10.bin

The bin file appears to be a config file for Zbot.

Currently 1/42 VT
http://www.virustotal.com/analisis/78ffd2e...1cee-1267797667

Report provided by Comodo
http://camas.comodo.com/cgi-bin/submit?fil...67b14b6fa6a1cee

Fairly new user so if I did this wrong please let me know. I didn't attach the file as I am under the impression not to since I'm not an official contributor.

[sUBs]

Please upload/attach the file.

[dshield]

Could you post a raw copy of the email or send me a copy?

TIA

Tom

[Voyager]

Report.exe inside Zip Detected now at Trojan.Zbot by Symantec.

[Malhunter]

We never received the full email with headers from any of the users who received it, they just forwarded it on to us. And I am unable to attach the file, says I am not authorized to upload the file type of .sitx (I do my malware work on a Mac with StuffIt for zipping files).

[dshield]

Malhunter, on Mar 5 2010, 11:12 AM, said:

We never received the full email with headers from any of the users who received it, they just forwarded it on to us. And I am unable to attach the file, says I am not authorized to upload the file type of .sitx (I do my malware work on a Mac with StuffIt for zipping files).

On OSX? Just Control-click on the file and OSX will zip it for you.

Tom

PS For those who want this file here is what I downloaded from the URL

Attached Files

•  report.zip   49.31K   5 downloads

[sUBs]

Quote

And I am unable to attach the file, says I am not authorized to upload the file type of .sitx

A way to workaround this is to rename the file's extension to zip.

@Tom, thanks for the attachment.

Plenty of zbots making the rounds lately.

[Malhunter]

Malhunter, on Mar 5 2010, 11:12 AM, said:

We never received the full email with headers from any of the users who received it, they just forwarded it on to us. And I am unable to attach the file, says I am not authorized to upload the file type of .sitx (I do my malware work on a Mac with StuffIt for zipping files).

Oh bloody hell! I feel like a tard. I'm still really new to the OSX environment and asked a co-worker about how to zip on Mac's. He recommended StuffIt so I went with it. I'll remember to stick to the renaming idea in the future. Sorry for the hassle.

[dshield]

sUBs, on Mar 5 2010, 11:17 AM, said:

A way to workaround this is to rename the file's extension to zip.

@Tom, thanks for the attachment.

Plenty of zbots making the rounds lately.

Just a point of clarification, .sitx is NOT a zip file. It is a stuffit file. On OSX a file(s) can be zipped (eg put in a format that PKZIP on Windows can understand) either by using the command line:

zip /path/to/file

Or using performing a control click to bring up a menu and then select "Compress" or clicking the file once and then selecting "Compress" from the "file" menu. This will generate a .zip file.

[Malhunter]

dshield, on Mar 5 2010, 11:46 AM, said:

Just a point of clarification, .sitx is NOT a zip file. It is a stuffit file. On OSX a file(s) can be zipped (eg put in a format that PKZIP on Windows can understand) either by using the command line:

zip /path/to/file

Or using performing a control click to bring up a menu and then select "Compress" or clicking the file once and then selecting "Compress" from the "file" menu. This will generate a .zip file.

Thank you for the quick tip, worked just as you said and I have no problem uploading now.

Attached Files

•  report.exe.zip   49.6K   5 downloads