Fake Visa Electronic Report Serves Up Zbot Data Stealer

| | Comments (0)
If you receive an EMail claiming to show an "online statement" from VISA, beware - you'll be walking into a trap of the "horrible infection file" variety.

A website (with a .co.uk domain but hosted in India) is playing host to the following fake setup, asking you to download an "electronic report" of your card transactions in relation to fraudulent transactions:

ZBot Visa EXE, originally uploaded by Paperghost

Of course, the "statement" is in the form of an executable related to our old friend Zbot, which has been spammed out in every form of scam possible, from fake Windows and Outlook updates to phish attacks and server updates.

Should you download and run it, your PC will immediately start making calls to the following domain:


That particular URL has been linked to Zeus Botnet C&C and other dubious practices - currently, it appears to be offline. The infected PC will have a file called SDRA64.exe running in the System32 Folder, which is a rather nasty little thing associated with everything from banking datatheft to keylogging and IRC. The good news is, that particular file has been around for a while so detection levels across the board should be pretty good at this point (I'd double check with Virustotal, but I'm not alone in having some issues with that site at present).

Never, ever download an executable file mentioned in an EMail claiming to be from your bank - you'll end up in a world of hurt.

We detect the file as Cardstatement.exe. A huge thank you to Senior Threat Researcher Peter Jayaraj for his late night assistance with this one!

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on December 10, 2009 10:24 PM.

Banned Console Owners Beat The System - With Stickers was the previous entry in this blog.

VGA Awards Trailers Used As Bait For Spam Offers is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.