Section 1: What email did I receive, and how did I know it was a Phishing Scam?

 

This is the first time I have received this Phishing email.  The email did not have any links, but instead has Malware attached.  Below is an example of what I received:

 

ADP Payroll Phishing

 

In classic Phishing style, this email contains something attractive to the user, something that they feel compelled to open.  In this instance, it’s the promise of seeing in detail the payroll details for the entire company.

 

This email has a couple of clear Malware/Phishing markers:

  • Our company does not use the services of ADP Payroll
  • The file attached is a zip file, and not a PDF of excel spreadsheet, which is what you would expect to receive as an attached invoice

 

If you receive this email, delete it immediately, it should cause no harm to your computer unless you run the executable inside the attached zip file.

 

Additionally, if you are using Office365, or an on-premises email solutions provided by AIM Communications, your email anti-virus should pick this email up and quarantine or delete it before you get it.

 

If you are interested in what the Malware attached to this email does, read on:

 

 

Section 2: What Malware did I receive, and what does it do?

 

The Malware I received in this Phishing email was a Trojan commonly known as “Trojan.Zbot”, which I will refer to as Zbot going forwards.

 

A Trojan, named after the mythological Trojan Horse from the Trojan War, is designed to silently infect a PC and stay hidden for as long as possible.

 

Zbot is designed not to extort money from the end user, or disable their system, but instead is designed for two things:

  • To steal passwords and other personal information, and send them back to the attacker
  • To give the attacker complete control of the infected PC, which includes stealing files, changing your home page, downloading and installing other Malware items, and restarting the PC.

 

Because of this, infections are sometimes hard to spot.  The Malware is designed to be as silent as possible, to increase it’s chances of staying hidden and stealing more data as time goes by.

 

To aid Zbot in it’s quest to stay hidden, and keep stealing personal information, Zbot can also protect itself by:

  • Renaming itself to a name not commonly associated with its detection
  • Blocking websites used to update Anti-Virus software

 

 

Section 3: How do you know if you’ve been infected with this Trojan, and how do I remove it?

 

Ultimately, it’s nearly impossible to know if you have been infected with this Trojan unless your Anti-Virus picks it up, or you are very good at wading through Windows internals to discover the infection, because as mentioned above, the attacker has the ability to rename the files associated with this Trojan.

 

You can check the following locations to see if you have been infected, but remember, not finding files in these locations DOES NOT MEAN THAT YOU HAVE NOT BEEN INFECTED, but if you do find these files, it is fairly safe to say that you have been infected with this Trojan:

  • %System%lowsec
  • %UserProfile%Application Datalowsec

 

If either of these folders exist, you are infected with Zbot, or have been infected at some time over the life of the PC.

 

The good news is that this Trojan is easily detected by most Anti-Virus products in the market, in most instances, it will also not start when you boot your PC into Safe Mode.

 

Because of this, the best way to remove this Trojan is to boot your PC into safe mode, and run a full scan with your Anti-Virus product.

 

 

AIM Communications can perform the Malware removal for you. Please call us on 1300 246 266, or email service@aimcom.com.au if you would like our assistance.

 

Do you have any questions, comments? Email us on blog@aimcom.com.au.

 

Interested in receiving these in your inbox as we write them? Simply fill in your email below and click “Sign me up!”