The distribution of Zbot continues, this time by a file called tax-statement.exe and domains named (irs.gov.fedas1ao.com, irs.gov.y11derd.com, irs.gov.juhh1wo.com). Its unclear what the initial vector is however given the way the domains and file name have been crafted its likely related to spam. All the domains being used so far and the dates they were first seen can be found here.

Upon execution of tax-statement.exe the following changes will be made to the registry.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
UID = “%ComputerName%_0002DE7F”

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]

{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0×00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Cookies =
History =

From a network  perspective the following GET requests are generated

http://195.93.208.18/lcc/ip.gif

http://195.93.208.18/ip.php

Threat characteristics of ZBot – banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.