Security News

New Trojan Downloader – Branvine.A (June 5, 2009)

By

SonicWALL UTM Research team observed multiple spam campaigns of new Trojan downloader – Branvine.A starting June 2, 2009. The emails have a zip archived attachment which contains the new Trojan downloader variant.

SonicWALL has received more than 10,000 e-mail copies of this malware so far.

While the spammed e-mails and attachment name changed across the different spam campaign, the attachment payload only changed once on June 4, 2009.

When executed the Trojan attempts to connect to the domains below:

  • biz-er.org
  • full-free-xmovies.com
  • mysex-adult.com

It tries to download files from above domains via following GET requests respectively:

  • GET /cnf/bizzi11.exe

    • – Detected as GAV: Agent.BIZ (Trojan)

  • GET /promo1/soft/install-1557.exe

    • – Detected as GAV: PrivacyCenter.DO_2 (Trojan)

  • GET /promo1/soft/install-1557.exe

    • – Detected as GAV: PrivacyCenter.DO_2 (Trojan)

Sample e-mails for each spam campaign are shown below:

June 2, 2009 – Sample Email #1:

screenshot

June 2, 2009 – Sample Email #2:

screenshot

June 2, 2009 – Sample Email #3:

screenshot

June 2, 2009 – Sample Email #4:

screenshot

June 3, 2009 to June 4, 2009 – Sample Email #5:

screenshot

The Trojan is also known as Trojan-Downloader.Win32.Murlo.bdc [Kaspersky], Trojan-Downloader.Win32.Branvine [IKarus], and Downloader-BPX trojan [McAfee]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Branvine.A (Trojan) signature. Total hits recorded since the release of this signature on June 2, 2009 – 2,318,091.

screenshot

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Fake picture installs a data wiper malware
Internet Explorer Vulnerability(MS12-043) Exploited in the Wild (August 30, 2013)
Oracle CREATE_TABLES SQL Injection (Oct 30, 2009)
New Year greeting card spam (Dec 30, 2009)
New Botnet controlled via Twitter (Aug 18, 2009)
Web attacks in November 2018
FakeRansom: Deletes files then demands payment for nothing (Jul 15th, 2016)
Microsoft Security Bulletin Coverage for May 2021