Mal/Zbot-FV

Mal/Zbot-FV Description

ESG security analysts have received reports of a recent batch of fake emails belonging to a scam labeled as Mal/Zbot-FV because of its relationship to the Zeus or Zbot botnet. While the actual Mal/Zbot-FV message may not be directly related to this botnet, the format of the fake email message that Mal/Zbot-FV uses to attempt to deliver malware to its victims is identical to tactics that were initially related to botnets such as Zeus or Zbot and Bredo. Botnets are vast networks made up of thousands of computers that have been taken hostage with the help of malware. Criminals can use these computers to carry out devastating coordinated attacks, such as sending out huge amounts of email or attack websites by overloading them with requests. The most common way in which botnets recruit new victims is by sending out spam email containing Trojans that allow the criminal to gain unauthorized access to the victim's computer. The Mal/Zbot-FV attack is one such kind of malicious email.

Mal/Zbot-FV is an Email Attack that is Disguised as a Message from DHL

The Mal/Zbot-FV attack tends to be associated with fake emails supposedly coming from a courier and messaging companies like FedEx and DHL. These messages make the victim believe that they have either received a package, or that there was some kind of trouble with a message that they tried to send out. The Mal/Zbot-FV attack will include an embedded link or malicious attached file that leads the victim to the actual Trojan which carries out the devastating invasion on the victim's computer system. This scam has been around for a long time. While the most recent Mal/Zbot-FV was observed in March of 2012, Mal/Zbot-FV rises up periodically.

In fact, ESG malware analysts detected a particularly malicious version of the Mal/Zbot-FV attack in July 2011, which claimed numerous victims all around the world. The Mal/Zbot-FV message is quite convincing, well written, and authentic-looking. It uses images from DHL and a spoofed email address with a "dhl" domain. The Mal/Zbot-FV attack will include a compressed archive in ZIP format with a varying name. In most cases, the files name will be particularly long (for example, DHL-Express-Delivery-Notification-Details_03-2012_[Random tracker number].zip in order to distract the victim from the ZIP extension). Opening the attached file causes the victim's computer system to be infected with a Trojan downloader or dropper which establishes a backdoor and then access a remote server, so it will be able to download and install other malware on the victim's computer.

Technical Information

File System Details

Mal/Zbot-FV creates the following file(s):
# File Name Detection Count
1 DHL-Express-Delivery-Notification-Details_03-2012_[random id].zip N/A