New statement spam (Oct 17, 2008)

SonicWALL UTM Research team observed a new wave of the on-going Statement document spam campaign starting today Friday, October 17, 2008. The email has a zip archived attachment which contains the new Trojan variant.

The e-mail contains following attachment:

Attachment: Statement_01-10.zip (contains Statement_01-10.doc [WHITESPACES] .exe – UPX packed)

The Trojan when executed drops following malicious files in the system folder:

• rs32net.exe (copy of itself)

It also creates the following Registry keys to ensure that rs32net.exe gets executed automatically on system startup:

• HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunrs32net = “(SYSTEM FOLDER PATH)rs32net.exe”

It then starts the rs32net.exe process and deletes the original copy of the file from the folder where it was executed.

The Trojan tries to send a HTTP GET request

• GET /40E80008F04FCE3BCEE24D126C000001DD6600000002760000015EEB000530829EA5AC HTTP/1.0

to following IP addresses:

• 208.66.194.240
• 216.195.55.50
• 216.195.56.22
• 209.66.122.238
• 91.203.92.7
• 208.66.195.15
• 208.66.195.71

The Trojan has a very low detection at the time of writing this report.

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AGWR (Trojan) signature.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.