Angelina Jolie video spam (Oct 6, 2008)
SonicWALL UTM Research team observed a new wave of the on-going Angelina Jolie video spam campaign starting on Monday, October 6, 2008. The email has a zip archived attachment which contains the new Downloader Trojan variant.
SonicWALL has received more than 60,000 e-mail copies of this malware till date. The e-mail looks like following:
Attachment: video.zip (contains video.exe – UPX packed)
Subject: Angelina Jolie Free Video
Email Body:
————————
New sex scandal, Angelina Jolie porn watch in attached file
————————
The Trojan when executed drops following malicious files in the system folder:
- gzipmod.dll
- vbagz.sys
It also creates the following Registry keys to ensure that gzipmod.dll is installed as a Winlogon notification package:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
- HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
- HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys
The Trojan includes a backdoor component that listens on TCP port 6051 & 6052. It also tries to resolve the following domains and subsequently sends HTTP requests to them:
- sargej-grienko.com
- ulm-haafeulm-haa.com
- art8005.com
The Trojan is also known as Trojan.Spy.Goldun.NDU [BitDefender], Win32/Spy.Goldun.NDN trojan [ESET], and TR/Crypt.XPACK.Gen [AntiVir]
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.XQL (Trojan) signature.
