Merry Christmas Spam – Banker Trojan (Dec 02, 2008)

SonicWALL UTM Research team observed a new spam campaign starting today Tuesday, December 02, 2008 which involves a fake e-mail pretending to be arriving from either Coca-Cola, McDonalds, or Hallmark. The email has a zip archived attachment which contains the new Banker Trojan.

The e-mail looks like following:

Attachment:

• postcard.zip (contains postcard.doc .scr)
• promotion.zip (contains coupon.exe)
• coupon.zip (contains coupon.exe)

Subject:

• You’ve received A Hallmark E-Card!
• Coca Cola is proud to accounce our new Christmas Promotion.
• Mcdonalds wishes you Merry Christmas!

Email Body:
————————
Dear Holder

Hello!

You have recieved a Hallmark E-Card from your friend. To see it, check the attachment.
There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.

Hope to see you soon, Your friends at Hallmark

Your privacy is our priority. Click the “Privacy and Security” link at the bottom of this E-mail to view our policy.
Hallmark.com | Privacy & Security | Customer Service | Store Locator
————————

The content of the Coca-Cola and McDonald’s spam email is fetched from Coca-Cola and McDonald’s official websites.

The Trojan when executed performs following host level activity:

• Creates qnx.exe in the Windows System directory and runs it
• Creates vxworks.exe in the Windows System directory and runs it
• Deletes the original copy of the file

It creates the following Registry key:

• HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWind River Systems = “[Windows System Dir]vxworks.exe”
• HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerWallpaper
• HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerWallpaperXMAS

vxworks.exe process listens on TCP ports 1056 and 1071 and also sends following GET request:

• http://whatismyip.com/automation/n09230945.asp

The Trojan is also known as Trojan-Banker.Win32.Banker.abbi [Kaspersky], VirTool:Win32/CeeInject.gen!J [Microsoft], and TR/Dropper.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Banker.ABBI (Trojan) signature.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.