The link in the mail leads to a standard fake MySpace login page, so of course your account details are stolen. Once you have “logged in” though, the supposed “MySpace Update Tool” is waiting to trick the unwary into installing their very own variant of the ZeuS agent. We detect this as TSPY_ZBOT.SMP, the Smart Protection Network also blocks the email spam and web addresses associated with this campaign.

Download page for the ZeuS agent

“Does not create suspicion on the presence if you it do not want. Here is available in view of that like to do many authors spyware: an unloading firewalls, antiviruses, an interdiction for their updating, blocking Ctrl+Alt+Del etc.Separate file of a configuration that allows to protect itself from loss botnet in cases of inaccessibility of the preferred server. Plus additional (reserve) files of a configuration to which the bot will address when the basic file of a configuration will not be accessible. This system guarantees a survival of yours botnet in 90 % cases.

Interception of POST-data + interception of the pressed keys (including inserted data from a clipboard).

Transparent URL-redirect (on fake-sites etc.) with the task of the elementary conditions of a redirect (for example: only at GET or POST inquiry, at presence or absence of certain data in POST-inquiry).

Transparent HTTP (S) contents substitution (the Web-inject which allows to substitute not only HTML pages, but also any other type of data). Substitution is set by means of instructions of masks of substitution.

Adjusted TAN-grabber for any countries.

The IDEAL DECISION FOR VIRTUAL KEYBOARDS: After calling on necessary URL, there is a reception of a screenshot in the field of the screen where the left button of the mouse has been pressed.

Reception of certificates from storehouse “MY” (certificates with a mark “not exported” are not exported correctly) and its clearing. After it any imported certificate will be saved on a server.

Interception of a login/password of reports POP3 and FTP in independence of port and its record to logs only at successful authorisation.

Change local DNS, removal/addition of file recording %system32 %\drivers\etc\hosts, i.e. comparison of the specified domain with specified IP for WinSocket.

Reception of a screenshot from the computer of a victim in real time, the computer should is out of NAT.

Reception of commands from a server part and report sending back about successful performance. (Now start of a local/removed file, immediate updating of a file of a configuration, OS destruction).

Socks4-server.

HTTP (S) a PROXY-server.“

My favourite part of this particular readme though has to be this:

“Record just visited pages at the first start on the computer. It is useful at installation through sploits if you buy loadings from suspicious service, it is possible to learn that is loaded more in parallel.“

Basically as a budding cybercriminal it’s tough to find partners you can trust. So if the person you paid to load your bot up on their boobytrapped web page decides they will send their own little package to your victims as well, you’ll know about it.

This particular vendor is offering a fully installed, configured and supported ZeuS installation; control panel, agent builder and injection scripts  for just $320 (USD).