Tag Archives: Zbot

WSNPoem: UPSTRACKING_DS9961201.zip

Seit heute Nacht verbreitet sich der Trojaner WSNPoem (aka ZeuS / Zbot) mit einer neuen Spam-Welle in der Schweiz. Grund zur Beruhigung: Die Spam-Welle scheint bis an hin ziemlich klein zu sein:

From: “United Parcel Service of America”
Subject: Postal Tracking #xxxxxxxxxxxxxx


We were not able to deliver postal package you sent on the 14th of March in time
because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

Attachment: UPSTRACKING_DS9961201.zip

Absender Email Adresse sowie die Nummer im Betreff variieren. Im Attachment UPSTRACKING_DS9961201.zip befindet sich ein Trojan-Dropper:

Filename: UPSTRACKING_DS9961201.exe
File size: 50176 bytes
MD5 : 4be0d4b1dbc2d7ba92b6c920388ae4bb
SHA1 : 3e8cd1b64316e0127e8d84d508dd78a20373ae31
Erkennungsrate: 18/40 (45.00%)

Der Trojaner nistet sich im System32 Verzeichnis (z.B. C:\WINDOWS\system32\wbem\grpconv.exe) ein und nimmt Kontakt mit einem Command&Control Server auf:

GET http://dollarpoint.ru/abc/controller.php

Die Domain dollarpoint.ru wird auf einem Server in der Ukraine gehostet:

dollarpoint.ru (

inetnum: –
netname: Nice-NET
descr: Nice LTD
country: UA

Danach lädt der infizierte Rechner einen Rogue Antivirus (FakeAV) nach:

GET http://trucount3002.com/cgi-bin/promo.pl

Filename: lsp.exe
Filename: File size: 104960 bytes
MD5 : 9c9c2f242295e9bfaffecaab373b1f20
SHA1 : cacca42a9dd766c2d4f504bb8cffea379253a36d
Erkennnugnsrate: 16/40 (40.00%)

Nun lädt der Trojaner WSNPoem ein Config-File von bklinkov.ru nach:

GET http://bklinkov.ru/hi/start.cfg

Des Weiteren meldet sich der Trojaner regelmässig bei einem C&C Server und lädt gestohlene Daten hoch:


Was bisher etwas schleierhaft ist, ist die Frage, ob WSNPoem bereits im Email Anhang (UPSTRACKING_DS9961201.exe) bzw. dem Trojan-Dropper drin ist oder ebenfalls erst nachgeladen wird.


Folgende URLs werden vom Trojan Dropper, der nachinstallierten Rogue Software sowie dem WSNPoem Trojaner kontaktiert und sollten deshalb blockiert werden:

  • dollarpoint.ru
  • trucount3002.com
  • hostvegass.ru
  • onlinescanxppp.com
  • bklinkov.ru
  • antivirus-xppro2009.com
  • When a Botmaster goes REALLY mad

    Yesterday I came across a post on Sunbelt’s Blog concering bots which have a build in function to destroy the computers operating system (OS). The Sunbelt Blog reference to a blog post on the S21sec Blog:

    This time we are taking a close look about what things could happen with an infected computer when the running bot receives an specific command about to kill the Operating System. Not all type of bots usually have this functionality, but banking Trojans usually have. We will take three examples (InfoStealer, Zeus/Zbot and Nethell/Ambler), these are the most common Trojans where we’ve definitely found in their binaries the malicious code that is responsible for the Execution of Windows.

    Last week I received a copy from a ZeuS C&C server for analysis (53’878’694 records in database / 155GB) . The C&C server was hosting about 5 different ZeuS installations controlling more than 100′000 computers, mainly located in Poland and Spain.

    I was just shocked as I saw that the ZeuS C&C was sending out the ZeuS command kos:

    ZeuS C&C: Kill Operating System

    But what is “kos”? The kos command is used by ZeuS to destroy the operating system (kill Operating System). From ZeuS help file (translated with Google):

    kos – incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges – fly to “blue screen”, in other cases creates the brakes. Following these steps, loading OS will not be possible!

    So what happened? The Operating System of every infected client which was connected to one of the malicious ZeuS C&Cs has been destroyed. That are about 100’000 affected computers!

    Yeah, that happens when a Botmaster goes really mad…

    Further reading:
    Sunbelt Blog: Bots that destroy the operating system
    S21sec Blog: When a Bot master goes mad – Kill the OS
    abuse.ch ZeuS Tracker BETA