NEWS FROM THE LAB - Wednesday, February 20, 2008

Mikkeli Spam Links to ZBot Malware Posted by Sean @ 10:01 GMT

We are getting reports of Finnish language spam that links to a ZBot variant.

We've seen this spam message ourselves. Here's an example of the text:

ZBot.HS Spam

The subject line is "Uutinen Suomen ydinsaastumisesta".

That translates as "News of Nuclear Fallout in Finland".

The thing is — there's no nuclear power plant in the Mikkeli area as the message claims.

The first image shows the location of Mikkeli and the second image shows the locations of Finland's four existing plants:

http://en.wikipedia.org/wiki/Mikkeli http://en.wikipedia.org/wiki/Nuclear_power_in_Finland

The site to which the spam links provides an additional link directing recipients towards a variant of ZBot.
The spam message itself is not malicious.

ZBot is family of banking trojans that have in the past included Finnish banks among its targets.

We detect the variant as Trojan-Spy:W32/ZBot.HS with database update 2008-02-20_04.

Further analysis of ZBot.HS is ongoing.