Michael Jackson Video Trojan (June 26, 2009)


SonicWALL UTM Research team observed a new Trojan Downloader – Adload.LI (Trojan) being spammed in the wild starting June 26, 2009. The spammed emails pretend to contain links to unseen videos and pictures of late Michael Jackson.

The link in the spammed e-mail points to a well-known radio broadcasting station website hosted in Australia. At the time of writing this alert, the link was still alive fetching the malicious file:

  • www.beatzradio(REMOVED).Jackson_videos_fotos.php

The file gets downloaded as Michael.Jackson.videos.scr and has an icon disguised as a MPEG video file as seen below:


Screenshot of a download prompt from the well-known website is shown below:


When executed the Trojan Downloader performs following activity:

  • Creates a Mutex Object _!SHMSFTHISTORY!_ to marks its presence in the system
  • Opens up a legitimate website showing a news article related to Michael Jackson in Internet Explorer as seen below:
  • screenshot

  • Attempts to download malicious files from anella2009.dominiotemporario.com domain:
    • GET /ba/foto.dll – saved as (Windows)Dynamic.dll (GAV: Banker.N (Trojan))
    • GET /ba/michael.gif – saved as (System)fotos.exe (GAV: Banspy.F (Trojan))
    • GET /ba/kproces.gif – saved as (System)kproces.exe (GAV: Banbra.NOR (Trojan))
  • Runs the files downloaded above.

This Trojan is also known as TrojanDownloader:Win32/VB.LI [Microsoft] and Trojan-Downloader.Win32.Adload [Ikarus]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Adload.LI (Trojan) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.