ICS Monitoring Team spam (Sep 29, 2008)
SonicWALL UTM Research team observed a new spam campaign starting on Friday, September 27, 2008 which involves a fake notification e-mail pretending to be arriving from ICS Monitoring Team. The email has a zip archived attachment which contains the new Downloader Trojan.
SonicWALL has received more than 40,000 e-mail copies of this malware so far. The e-mail looks like following:
Attachment: user-EA49943X-activities.zip (contains user-EA49943X-activities.exe)
Subject: Your internet access is going to get suspended
Email Body:
————————
Your internet access is going to get suspended
The Internet Service Provider Consorcium was made to protect the rights of software authors, artists. We conduct regular wiretapping on our networks, to monitor criminal acts.
We are aware of your illegal activities on the internet wich were originating from
You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.
Sincerely ICS Monitoring Team
————————
The Trojan when executed drops following malicious files in the system folder:
- gzipmod.dll
- tremir.bin
- vbagz.sys
It also creates the following Registry keys:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
- HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
- HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys
It also tries resolve the following domains and subsequently sends HTTP requests to them:
- ulm-haafeulm-haa.com
- art8005.com
The Trojan is also known as Trojan-Dropper.Win32.Agent.xgg [Kaspersky], W32/Downldr2.DVJA [F-Prot], and TR/Crypt.XPACK.Gen [AntiVir]
SonicWALL Gateway AntiVirus provided protection against this malware via GAV: Goldun.AZM (Trojan) signature [159,053 hits recorded].
