Fake Conficker Removal Tool – Agent.MSU (June 10, 2009)
SonicWALL UTM Research team observed a new Trojan Downloader spammed in the wild starting June 9, 2009 pretending to be from Microsoft Security Department.
The email pretends to contain important Windows XP/Vista security update related to the Conficker worm and also contains a link to download a removal tool. The download link points to the new Trojan Downloader. The link leads to download of the malicious executable file from a domain in Russia:
- windowsupdate.microsoft.com.(Removed).ru/remtool_conf.exe
The downloaded file has zero AV detection at the time of writing this alert and it looks like this:
When executed the Trojan performs following activities:
- Stops the Windows security center service (Service Name: wscsvc)
- Creates a new directory (Windows Temporary folder)nsf3.tmp and drops webexplorer.exe, nsExec.dll, and NSISdl.dll files in it.
- Opens up a new window displaying Symantec Trojan.Brisv.A Removal Tool 2.1.0.7 EULA:
- If the user clicks accept button and starts the tool it will run for a while and display a “fixbrisa” message box at the end:
- It attempts to connect to makemymoneys.com domain and downloads an Injector Trojan by sending HTTP GET request:
- GET /install/winupdate.exe
– Detected as GAV: Injector.PI (Trojan)
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.MSU (Trojan) signature.
Screenshot of the original e-mail message is shown below:
