Virtumonde windshield malware (Feb 9, 2009)

SonicWALL UTM Research team observed a new interesting social engineering trick to install malware: hackers are using fake parking violation warnings to trick motorists into visiting malware-infested websites.

A windshield flier was left in cars with a website address linked to a malicious file. The fliers said:

  PARKING VIOLATION  This vehicle is in violation of  standard parking regulations.  To view pictures with information about  your parking preferences, go to  http://horribleparkxxxx.com/  

The website serves the malicious file to the user: http://horribleparkxxxx.com/PictureSearchToolbar.exe

This malware: PictureSearchToolbar.exe is detected by SonicWALL as GAV: AgentBypass_6 (Trojan).

It is a variant of Virtumonde / Vundo family of trojan horse that cause popups and advertises rogue antispyware programs. (aka Win32/Vundo.JI [Microsoft]). PictureSearchToolbar.exe is 56,832 bytes in size and when it runs it drops these files on the system:

• %Temp%awtrQGay.bat – 63 bytes
• %System%yayyXRKe.dll – 38,912 bytes

It injects yayyXRKe.dll in explorer.exe process.

It also creates the following registry entries:

• HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
• HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}InprocServer32
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionControl PanelSettings
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyyayyXRKe
• HKEY_LOCAL_MACHINESOFTWAREMicrosoft0cd0861
• HKEY_CURRENT_USERSoftwareMicrosoftcs41275

It then attempts to download http://childxxxx.com/pas/apstpldr.dll.html?affid=177194&uid=&guid=16560F811C084DA3B8270F85F0661238 and save it as %System%awtrQGay.dll.

Downloaded malware: awtrQGay.dll is detected by SonicWALL as GAV: Monder_3 (Trojan), it is another variant of Virtumonde/Vundo trojan and attempts to install Fake Antivirus software from bestantispywaresecurityxxx.com

SonicWALL Gateway AntiVirus provides protection against this attack via GAV: Monder_3 (Trojan) and GAV: AgentBypass_6 (Trojan) signatures.

The following figures shows the recorded hits for GAV: Monder_3 (Trojan) signature.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.