Un falso mail de DHL está propagando nueva variante de SPY ZBOT

Nos están llegando mails y consultas al respecto de uno que llega masivamente con falso remitente DHL, similar al que se ofrece a continuacion:
FALSO MAIL DE DHL:

_________________
Asunto:  Re: DHL Parcel Tracking Notification 3379055726960187
Fecha:  Tue, 29 Nov 2011 17:04:50 +0900
De:  DHL Express <tom. Reference: CNC8B-7440202482421485
P. Tracking Number: 1978-46YO9HXT6
Pickup Date: Tue, 29 Nov 2011 17:04:50 +0900
Service: GROUND
Pieces: 1
——————————————————————————–
 

——————————————————————————–
Shipment status may also be obtained from our Internet site in USA under http://track.dhl-usa.com or Globally under http://www.dhl.com/track
Please do not reply to this email. This is an automated application used only for sending proactive notifications

Thanks,
DHL Express International.

Ficheros adjuntos:
DHL-Express-Delivery-Tracking-Notification-4RKED1S1HBQ4SNT7GU.zip  256 k   [ application/zip ]

___________

FIN DEL MAIL

El preanalisis del virustotal sobre el fichero recibido (dropper) es:

File name: DHL-Express-Delivery-Tracking-Notification.exe
Submission date: 2011-11-29 11:35:26 (UTC)
Current status: finished
Result: 9 /43 (20.9%)
VT Community

malware
Safety score: 0.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.11.29.00 2011.11.29 Trojan/Win32.Jorik
AntiVir 7.11.18.118 2011.11.29 –
Antiy-AVL 2.0.3.7 2011.11.29 –
Avast 6.0.1289.0 2011.11.29 –
AVG 10.0.0.1190 2011.11.29 –
BitDefender 7.2 2011.11.29 –
ByteHero 1.0.0.1 2011.11.29 –
CAT-QuickHeal 12.00 2011.11.29 –
ClamAV 0.97.3.0 2011.11.29 –
Commtouch 5.3.2.6 2011.11.29 W32/Zbot.DD.gen!Eldorado
Comodo 10793 2011.11.29 –
DrWeb 5.0.2.03300 2011.11.29 –
Emsisoft 5.1.0.11 2011.11.29 Win32.Outbreak!IK
eSafe 7.0.17.0 2011.11.28 –
eTrust-Vet 37.0.9591 2011.11.28 –
F-Prot 4.6.5.141 2011.11.28 W32/Zbot.DD.gen!Eldorado
F-Secure 9.0.16440.0 2011.11.29 –
Fortinet 4.3.370.0 2011.11.29 –
GData 22 2011.11.29 –
Ikarus T3.1.1.109.0 2011.11.29 Win32.Outbreak
Jiangmin 13.0.900 2011.11.28 –
K7AntiVirus 9.119.5555 2011.11.28 –
Kaspersky 9.0.0.837 2011.11.29 –
McAfee 5.400.0.1158 2011.11.29 Artemis!098EC136A3BC
McAfee-GW-Edition 2010.1D 2011.11.29 Artemis!098EC136A3BC
Microsoft 1.7801 2011.11.29 –
NOD32 6668 2011.11.29 a variant of Win32/Kryptik.WHC
Norman 6.07.13 2011.11.29 –
nProtect 2011-11-29.01 2011.11.29 –
Panda 10.0.3.5 2011.11.28 –
PCTools 8.0.0.5 2011.11.29 –
Prevx 3.0 2011.11.29 –
Rising 23.86.01.02 2011.11.29 –
Sophos 4.71.0 2011.11.29 –
SUPERAntiSpyware 4.40.0.1006 2011.11.29 –
Symantec 20111.2.0.82 2011.11.29 –
TheHacker 6.7.0.1.350 2011.11.27 –
TrendMicro 9.500.0.1008 2011.11.29 –
TrendMicro-HouseCall 9.500.0.1008 2011.11.29 TSPY_ZBOT.LEX
VBA32 3.12.16.4 2011.11.28 –
VIPRE 11175 2011.11.29 –
ViRobot 2011.11.29.4799 2011.11.29 –
VirusBuster 14.1.89.0 2011.11.28 –
Additional informationShow all
MD5   : 098ec136a3bcdcbfbd1f0a6a45b1f129
SHA1  : 46fa929451867e22932a7eb82e4257f80b4a2875

File size : 198656 bytes

publisher….: Agnitum Ltd.
copyright….: Clasp Newt Tho Slur 1995-2011
product……: Melon Safes Phi Hymnal
description..: Seed Eros Laid Top Utter Fail
original name: Byline.exe
internal name: Froze Miner Grove
file version.: 8.3

pero éste desaparece al ejecutarlo, y se crea otro que es el que se tiene que eliminar si el usuario ha ejecutado dicho fichero, y que ofrece el siguiente informe:

File name: exrufa.exe,vir
Submission date: 2011-11-29 11:44:35 (UTC)
Result: 5/ 43 (11.6%)
VT Community

malware
Safety score: 0.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.11.29.00 2011.11.29 Trojan/Win32.Jorik
AntiVir 7.11.18.118 2011.11.29 –
Antiy-AVL 2.0.3.7 2011.11.29 –
Avast 6.0.1289.0 2011.11.29 –
AVG 10.0.0.1190 2011.11.29 –
BitDefender 7.2 2011.11.29 –
ByteHero 1.0.0.1 2011.11.29 –
CAT-QuickHeal 12.00 2011.11.29 –
ClamAV 0.97.3.0 2011.11.29 –
Commtouch 5.3.2.6 2011.11.29 W32/Zbot.DD.gen!Eldorado
Comodo 10793 2011.11.29 –
DrWeb 5.0.2.03300 2011.11.29 –
Emsisoft 5.1.0.11 2011.11.29 –
eSafe 7.0.17.0 2011.11.28 –
eTrust-Vet 37.0.9591 2011.11.28 –
F-Prot 4.6.5.141 2011.11.28 W32/Zbot.DD.gen!Eldorado
F-Secure 9.0.16440.0 2011.11.29 –
Fortinet 4.3.370.0 2011.11.29 –
GData 22 2011.11.29 –
Ikarus T3.1.1.109.0 2011.11.29 –
Jiangmin 13.0.900 2011.11.28 –
K7AntiVirus 9.119.5555 2011.11.28 –
Kaspersky 9.0.0.837 2011.11.29 –
McAfee 5.400.0.1158 2011.11.29 PWS-Zbot.gen.hb
McAfee-GW-Edition 2010.1D 2011.11.29 –
Microsoft 1.7801 2011.11.29 –
NOD32 6668 2011.11.29 a variant of Win32/Kryptik.WHC
Norman 6.07.13 2011.11.29 –
nProtect 2011-11-29.01 2011.11.29 –
Panda 10.0.3.5 2011.11.28 –
PCTools 8.0.0.5 2011.11.29 –
Prevx 3.0 2011.11.29 –
Rising 23.86.01.02 2011.11.29 –
Sophos 4.71.0 2011.11.29 –
SUPERAntiSpyware 4.40.0.1006 2011.11.29 –
Symantec 20111.2.0.82 2011.11.29 –
TheHacker 6.7.0.1.350 2011.11.27 –
TrendMicro 9.500.0.1008 2011.11.29 –
TrendMicro-HouseCall 9.500.0.1008 2011.11.29 –
VBA32 3.12.16.4 2011.11.28 –
VIPRE 11175 2011.11.29 –
ViRobot 2011.11.29.4799 2011.11.29 –
VirusBuster 14.1.89.0 2011.11.28 –
Additional informationShow all
MD5   : 2a4917c062cd8c7e328f302c0285b071
SHA1  : 21b60fa66819123d962eb4a1a6c1a54035582e14

File size : 198656 bytes

publisher….: Agnitum Ltd.
copyright….: Clasp Newt Tho Slur 1995-2011
product……: Melon Safes Phi Hymnal
description..: Seed Eros Laid Top Utter Fail
original name: Byline.exe
internal name: Froze Miner Grove
file version.: 8.3

Ambos ficheros, el dropper y el creado por él, son detectados y eliminados por el ELISTARA 24.37, que estará disponible en nuestra web a partir de las 19 h CEST de hoy.

De todas formas el actual ELISTARA ya controla heuristicamente este último, pidiendo muestra y aparcandolo para que no se cargue a partir del proximo reinicio

saludos

ms, 29-11-2011