Michael Jackson Video Trojan (June 26, 2009)
SonicWALL UTM Research team observed a new Trojan Downloader – Adload.LI (Trojan) being spammed in the wild starting June 26, 2009. The spammed emails pretend to contain links to unseen videos and pictures of late Michael Jackson.
The link in the spammed e-mail points to a well-known radio broadcasting station website hosted in Australia. At the time of writing this alert, the link was still alive fetching the malicious file:
- www.beatzradio(REMOVED).Jackson_videos_fotos.php
The file gets downloaded as Michael.Jackson.videos.scr and has an icon disguised as a MPEG video file as seen below:
Screenshot of a download prompt from the well-known website is shown below:
When executed the Trojan Downloader performs following activity:
- Creates a Mutex Object _!SHMSFTHISTORY!_ to marks its presence in the system
- Opens up a legitimate website showing a news article related to Michael Jackson in Internet Explorer as seen below:
- Attempts to download malicious files from anella2009.dominiotemporario.com domain:
- GET /ba/foto.dll – saved as (Windows)Dynamic.dll (GAV: Banker.N (Trojan))
- GET /ba/michael.gif – saved as (System)fotos.exe (GAV: Banspy.F (Trojan))
- GET /ba/kproces.gif – saved as (System)kproces.exe (GAV: Banbra.NOR (Trojan))
- Runs the files downloaded above.
This Trojan is also known as TrojanDownloader:Win32/VB.LI [Microsoft] and Trojan-Downloader.Win32.Adload [Ikarus]
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Adload.LI (Trojan) signature.