Our users located in the US currently are under attack from an IRS malware/spamming campaign. In the last 3 days we have constantly detected and blocked a spam outbreak containing links pointing to websites similar to IRS’, which ask the users to download an ZBOT Trojan file.

Fig. 1: The spam mail pointing to the malware site.

All Avira products detect the Trojans as TR/Spy.ZBot (in several variants). Our users of Avira AntiVir Premium, Avira Premium Security Suite and WebGate are protected because the URLs are being blocked.

The emails are having the address of the recipient in the URL in order to confirm that somebody actually clicked on the URL: http://www.irs.gov.<host>.com/fraud_application/directory/statement.php?email=ngthisleter@<email.com>&tid=ngthisleter-00000174073547US

Fig. 2: The fake IRS site with the malware.

The URLs are highly volatile, we see them only active for a couple of hours. However, the hosts which host the malware file called “tax-statement.exe” are still active. So please don’t follow those links!

Update from 30 September 2009: This spam wave now came to an end, from one day to the other there were no new malware mails!

Sorin Mustaca
Manager International Software Development