Important Document ( spam (Sep 23, 2008)


SonicWALL UTM Research team observed a new spam campaign starting on Monday, September 22, 2008 which involves a fake e-mail claiming to have an important document.

SonicWALL has received 4,500 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: (contains doc.exe) -> password protected

Subject: Important document for X (where X = random alphanumeric string)

Email Body:
Hello X, the document is attached. Pass 123.

The email attachment contains zipped malware executable which is a new Downloader Trojan. The Trojan when executed drops the following files on the system:

  • c:2.tmp
  • c:3.tmp
  • c:4.tmp
  • c:5.tmp
  • c:6.tmp
  • c:7.tmp

It also tries to download other malware by sending following GET requests:

  • hxxp://79.135.XX.18/cgi-bin/index.cgi?user5
  • hxxp://79.135.XX.18/scan.exe
  • hxxp://79.135.XX.18/s.exe
  • hxxp://79.135.XX.18/l.exe
  • hxxp://79.135.XX.18/ftp.exe

The Trojan is also known as TrojanDownloader:Win32/Chepvil.H [Microsoft], W32/Trojan3.AN [F-Prot], and TR/Dropper.Gen [AntiVir]

SonicWALL provides protection against password protected zip file via GAV: Password-protected ZIP file signature. It is highly recommend to turn on “Restrict Transfer of password-protected ZIP files” option in Gateway Anti-Virus settings to turn the signature on.

SonicWALL has also released a signature to detect the new Downloader Trojan:Agent.AHKV (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.