Fake Conficker Removal Tool – Agent.MSU (June 10, 2009)


SonicWALL UTM Research team observed a new Trojan Downloader spammed in the wild starting June 9, 2009 pretending to be from Microsoft Security Department.

The email pretends to contain important Windows XP/Vista security update related to the Conficker worm and also contains a link to download a removal tool. The download link points to the new Trojan Downloader. The link leads to download of the malicious executable file from a domain in Russia:

  • windowsupdate.microsoft.com.(Removed).ru/remtool_conf.exe

The downloaded file has zero AV detection at the time of writing this alert and it looks like this:

When executed the Trojan performs following activities:

  • Stops the Windows security center service (Service Name: wscsvc)
  • Creates a new directory (Windows Temporary folder)nsf3.tmp and drops webexplorer.exe, nsExec.dll, and NSISdl.dll files in it.
  • Opens up a new window displaying Symantec Trojan.Brisv.A Removal Tool EULA:
  • screenshot

  • If the user clicks accept button and starts the tool it will run for a while and display a “fixbrisa” message box at the end:
  • screenshot

  • It attempts to connect to makemymoneys.com domain and downloads an Injector Trojan by sending HTTP GET request:
    • GET /install/winupdate.exe
    • – Detected as GAV: Injector.PI (Trojan)

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.MSU (Trojan) signature.

Screenshot of the original e-mail message is shown below:


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.