New Zbot malicious campaign

A spam email purporting to come from UK’s Royal Mail service has been making the rounds of inboxes:

Attached to the message is a .pdf file by the name Royal_Mail_Delivery_Notice.pdf, and the user is encouraged to open it to find more information about the supposed failed delivery.

Unfortunately for the recipient, the file contains an embedded executable that – according to Websense – “creates a subdirectory under %SYSTEM32% with the name “lowsec” and drops the “local.ds” and “user.ds” files. These are configuration files for the threat. It also copies itself into %SYSTEM32% as “sdra64.exe” and modifies the registry entry “%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory.”

It is a ZeuS/Zbot variant, and it will steal various information from the infected computer and send it to a server in China.

One thing that can warn people that there is something fishy going on, is the warning that Adobe Acrobat Reader presents upon launching the file, saying that the file may contain programs, macros or viruses that could potentially harm your computer. At this point, it is better not to open the file if you are not 100% sure it’s safe.

The executable was embedded into the .pdf file using the recently unveiled exploit of a feature in those files: