Unlike the other variants W32/Zotob.D is unpacked, it is also a 94.208 byte long PE executable.
Like the C variant it tries to trick the user into opening an infected e-mail attachment, the only difference
being that this variant does this far more successfully. For example:
Dear [DOMAIN] Member,
We have temporarily suspended your email account [RECEIVER E-MAIL].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [DOMAIN] account.
Please also visit our irc server [REMOVED]
Sincerely,
The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[DOMAIN]
Also encouraging the recipient to visit them on their IRC server which we strongly advise against. Those of you who are familiar with W32/Mytob can probably spot that this variant has implemented the phising routine from W32/Mytob as the e-mails are almost identical to those of W32/Mytob.
It looks as if this variant may have a different author to the previous three. A message inside the worm suggests that the source code is in distribution.
In other areas the worm is like its predecessors, so the exploit can only be used to infect systems running Windows 2000.
| 