There are several ways to propagate a virus. One of them being social engineering. This is what the Zbot variants are trying to do. They are sending emails that seem to come from your service provider, Microsoft themselves, and or your system administrator.
How often do you really get an email from Microsoft telling you that there is an update? For most people, this is never. I have worked in the Information Technology field for almost 20 years and I haven’t got an email from them to tell me there is an update. So why do you think they are doing it now? Better yet, do you think they are keeping track of every user that has outlook some and their email address?
So are you the system administrator? Do you actually email people from “System Admin”? I mean really? Security 101 tells you to change the administrator anyway. You should not be emailing from System Admin. So how often does your System Administrator email you?
So by tricking you to think you are going to a real website and downloading a real upgrade or settings change they are getting you to install the Zbot variant.
So what exactly does the Zbot Trojan/Virus do? First off it is a trojan that disables windows firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Zbot creates a file %System%sdra64.exe and the hidden files %System%lowseclocal.ds and %System%lowsecuser.ds in combination with a hidden directory %System%lowsec. There were new memory pages created in the address space of the system process(es): services.exe, lsass.exe, alg.exe, iexplore.exe and svchost.exe.
spring