Trojan (Sep 17, 2008)


SonicWALL UTM Research team observed a new spam campaign starting on Wednesday, Sep 17 at 00:41:58 PST, which uses fake legal paperwork as social engineering.

SonicWALL has received 450 e-mail copies of this malware so far.

Attachment: (contains file contract.doc.exe)

The email contents is
Dear customers,
We have prepared a contract and added the paragraphs that
you wanted to see in it.
Our lawyers made alterations on the last page.
If you agree with all the provisions we are ready to
make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.

If necessary, we can send it by fax.
Looking forward to your decision.

The subjects used by this Trojan are

  • Contract of order fulfillment
  • Contract of retirement
  • Contract of settlements
  • Loan Contract
  • Open an account
  • Permit for retirement
  • Record in debit of account
  • Rent contract
  • Your new labour contract

When run it copies itself to C:Program FilesMicrosoft Commonwuauclt.exe, A:system.exe, B:system.exe

|–> http://www.econoco**.com/images/lspr.exe
|–> http://www.econoco**.com/images/rep.exe

Trojan then changes the Registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe “” = C:Program FilesMicrosoft Commonwuauclt.exe

The Trojan is also known as Trojan.Win32.Agent.adyf (Kaspersky), TR/Dldr.Agent.RCE (Antivir) and Win32/AutoRun.ZV worm (Eset). It has a file size of 66,560 bytes.

SonicWALL has released a signature to protect against this threat: GAV: Agent.ADYF (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.