August 12, 2009

Russian anti-virus vendor Doctor Web reports a mass mailing of spam messages with attached Trojan.Botnetlog.11. The Trojan horse forming a new botnet also downloads and installs other pieces of malware on infected machines.

Trojan.Botnetlog.11 appeared as an attachment to spam messages on August 6, 2009. Now activity of this malicious program reached its peak.

The Trojan horse comes to a user machine with a fake e-mail delivery-failure notification from a respected e-mail service that informs a user that his package couldn’t be delivered because the recipient address is incorrect. As a solution the message offers a victim to print out the attached copy of an "invoice" and collect the package at the office of the company.

The attached zip-archive with a random name that follows the UPSNR_********.zip template contains an executable file with the same name. This file is Trojan.Botnetlog.11. The malicious file mutates from mailing to mailing and therefore can be hard to detect for an anti-virus.

Once launched the malware adds its entry to the autorun list, injects its code into system processes and establishes an HTTP connection to a bogus web-site to download other malicious programs. This is a how compromised system is are registered on the botnet.

Since Trojan.Botnetlog.11 is mutating constantly, Doctor Web recommends all users of Dr.Web anti-viruses to use automatic updating of virus databases and anti-virus software components.