A backdoor in an alleged Customs declaration

Fri, 25 July 2008

Tettnang, 25 July 2008 – Avira warns of bogus mail from Customs: Currently Emails are being sent in bulk to the mailboxes of internet users which requires you to declare a parcel to Customs. However instead of opening the corresponding form the user opens the door for a Trojan which then infects the computer.

The spam mail bears the heading "Parcel requires declaration". The mail itself tries to convince the receiver to fill out the attached form:

"Good day,
We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.
Kind regards,
Lucinda Addison
Your Customs Service"

The file attachment of the Email has the name Bill-Tax.zip. The archive contains the file "Bill_Tax ___________________________N89798742344.exe". Windows shows the file as a Word file, the perfect camouflage for the virus.

When executed, the malware, recognized by Avira as Tr/Spy.ZBot.dkx, makes a copy of itself in the Windows directory under the name ntos.exe. After a system start it hides in the root functions and injects a code into the Windows system file winlogin.exe.

It links itself with a server on the internet and eavesdrops for incoming packages. The Trojan also spies on the user. The malware also loads other components from the ZBot-family. The downloaded malware is recognized by Avira as TR/Dldr.Agent.xft.

Avira users are already protected against this Trojan Horse. The anti-virus solutions from the IT protection specialist detect the malware with the virus definition file 7.00.05.168 as TR/Spy.ZBot.dkx.

About Avira

Avira is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than twenty years of experience, the company is one of the pioneers in this field.

The security expert has several locations in Germany and partnerships in Europe, Asia and America. At its headquarters in Tettnang near Lake Constance, Avira is one of the region’s largest employers with more than 180 employees. Worldwide more than 250 persons are employed and their work regularly wins awards. Avira AntiVir Personal, used by millions of private users, represents a significant contribution to security.

Avira’s national and international customers include renowned corporations listed on the stock exchange but also educational institutions and public authorities. In addition to protection of the virtual environment, Avira also provides for more protection and security in the real world by supporting the Auerbach Foundation. Established by the founder of the company, the Auerbach Foundation promotes charitable and social projects as well as the arts, culture and science.

Contact:
Avira GmbH
Elisabeth Rothbart
Lochhamer Schlag 5a
D-82166 Graefelfing/Munich
Phone: +49 (0) 89 8583 639 17
Fax: +49 (0) 89 8583 639 20
Email: elisabeth.rothbart@avira.com

---

Other news from this category	Archive