Obama Sex Trojan (Sep 12, 2008)


SonicWALL UTM Research team observed a new spam campaign which uses the US presidential election as a social engineering mechanism to install a Trojan.

The email appears to be from obamasex@obama.com with the subject “Barack Obama sex story with girl”.

The email contents is
Sensation!!! United States Senator for Illinois
Barack Obama in 2007 was travel to Ukraine and
have sex action with many ukrainian girls!
You may view this private porno in a flash video.
Download and view now. Please send this
news to your friends!
Obama it’s not right choice!!!

link goes to a Chinese domain site hosted in Thailand

If the link is clicked a video plays for 14 seconds, and in the background, information-stealing Trojan is installed on the victim’s computer.

The Trojan is also known as Trojan.Win32.Agent.acyq (Kaspersky), PWS-Banker.cs trojan (McAfee) and Mal/Hupig-D (Sophos). It installs itself in C:Documents and Settings[UserName]Local SettingsTempsystem32_.exe and installs 809.exe in the user’s Temporary Internet Files folder.

Also a Browser Helper Object (BHO) named Siemens32.dll is registered. It posts stolen data to a compromised Finnish travel site,

SonicWALL has released a GAV signature to protect against this threat: GAV: Agent.ACYQ (Trojan)

Here is a screenshot of the email:


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.