ICS Monitoring Team spam (Sep 29, 2008)


SonicWALL UTM Research team observed a new spam campaign starting on Friday, September 27, 2008 which involves a fake notification e-mail pretending to be arriving from ICS Monitoring Team. The email has a zip archived attachment which contains the new Downloader Trojan.

SonicWALL has received more than 40,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: user-EA49943X-activities.zip (contains user-EA49943X-activities.exe)

Subject: Your internet access is going to get suspended

Email Body:
Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists. We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely ICS Monitoring Team

The Trojan when executed drops following malicious files in the system folder:

  • gzipmod.dll
  • tremir.bin
  • vbagz.sys

It also creates the following Registry keys:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
  • HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
  • HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

It also tries resolve the following domains and subsequently sends HTTP requests to them:

  • ulm-haafeulm-haa.com
  • art8005.com

The Trojan is also known as Trojan-Dropper.Win32.Agent.xgg [Kaspersky], W32/Downldr2.DVJA [F-Prot], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provided protection against this malware via GAV: Goldun.AZM (Trojan) signature [159,053 hits recorded].


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.