New Infostealer Trojan (Mar 13, 2009)


SonicWALL UTM Research team observed a new spam campaign starting March 13, 2009 which involves a fake e-mail pretending to be arriving from Bank of America Support system.

The email informs user that the automatic installation for Bank of America certificate component failed and they need to follow the instructions to get it installed. The email contains a malicious link that leads to the download of the new Infostealer Trojan.

SonicWALL has seen more than 8000 e-mail copies for this malware since March 13, 2009 9 AM PST. The e-mail messages looks like below:

Email #1:


Email #2:


Email #3:


When the user clicks on the link in the e-mail, it opens up a fake Bank of America page that displays a demo video frame on how to install Digital Certificate. When the user tries to play the video, it prompts the user to download a Adobe flash player update which is the Trojan executable as seen below:



Upon execution, it performs following activities:

  • Drops following files on the target system:
    • (Windows_Dir)9129837.exe [Detected as GAV: Papras.JD (Trojan) ]
    • (Windows_Dir)new_drv.sys [Detected as GAV: Agent.EX (Trojan) ]
    • (Desktop)abcdefg.bat
  • Makes following modifications to Windows Registry:
    • Creates: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRuntool = “(Windows_Dir)9129837.exe”
    • Creates: HKLMSYSTEMControlSet001Servicesnew_drvImagePath: “(Windows_Dir)new_drv.sys”
  • Attempts to send GET requests containing victim machine information to following IP address:

The Trojan has very low detection at the time of writing this alert. It is also known as Infostealer.Snifula.B [Symantec] and Trojan-PSW:W32/Papras.DK [F-Secure].

SonicWALL Gateway Antivirus provides protection against this malware via GAV: Papras.JD (Trojan) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.