Security researchers from Trend Micro have spotted an interesting malware distribution campaign. Cybercriminals are using the Patnote (Pioneer) virus to spread ZeuS (Zbot).
When the Patnote file infector is launched, it appends its code to all executable files, including ones on removable and network drives. This code is designed to drop and execute the embedded ZeuS version (TSPY_ZBOT.PNR) into the “User Temp” folder, and infect other executables.
The fact that Patnote spreads across multiple systems makes the threat more difficult to remove. It also allows ZeuS to infect networks with restricted Web access.
It’s also worth noting that Patnote employs some mechanisms that prevent researchers from analyzing it. It’s designed to stop working if analysis tools such as StudPDE, ProcDump, OllyDbg or WinHex are detected.
To avoid getting your system infected with this threat, avoid clicking on suspicious links, and always keep your antivirus software updated.