Angelina Jolie video spam (Oct 6, 2008)


SonicWALL UTM Research team observed a new wave of the on-going Angelina Jolie video spam campaign starting on Monday, October 6, 2008. The email has a zip archived attachment which contains the new Downloader Trojan variant.

SonicWALL has received more than 60,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: (contains video.exe – UPX packed)

Subject: Angelina Jolie Free Video

Email Body:
New sex scandal, Angelina Jolie porn watch in attached file

The Trojan when executed drops following malicious files in the system folder:

  • gzipmod.dll
  • vbagz.sys

It also creates the following Registry keys to ensure that gzipmod.dll is installed as a Winlogon notification package:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
  • HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
  • HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

The Trojan includes a backdoor component that listens on TCP port 6051 & 6052. It also tries to resolve the following domains and subsequently sends HTTP requests to them:


The Trojan is also known as Trojan.Spy.Goldun.NDU [BitDefender], Win32/Spy.Goldun.NDN trojan [ESET], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.XQL (Trojan) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.