Fake Order – Murlo.CBA Trojan (September 22, 2009)


SonicWALL UTM Research team observed a new Trojan being spammed via Fake order spam campaign starting September 19, 2009. The email has a zip archived attachment which contains the new Murlo Trojan variant.

SonicWALL has received more than 100,000 e-mail copies of this malware so far. The e-mail looks like:

Attachment: nz.zip (contains nz.exe)

Subject: Thank you for setting the order No.475456

Email Body:
Dear customer!

Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

Internet Store.

The e-mail message looks like below:


The executable file inside the zip attachment is packed with PEPACK v1.0 and it looks like:


The Trojan when executed performs following host level activity:

  • Connects and download malicious executable from:
    • http://weragumasekasu(REMOVED)M1B0cl5ZcR8S0j5PE3nJD2CR
    • http://84.16.224(REMOVED)out/1058/32/install.exe

  • Deletes the original file and drops following files:
    • c:1.exe [Detected as GAV: Kryptik.AKT (Trojan)]
    • (Program Files)AntivirusPro_2010AntivirusPro_2010.exe [Detected as GAV: FraudPack.TUH (Trojan)]
    • (System)braviax.exe [Detected as GAV: FraudPack.FOI (Trojan)]
  • Creates following registry entries to ensure that the malware runs upon system startup:
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunAntivirus Pro 2010 = “”(ProgramFiles)AntivirusPro_2010AntivirusPro_2010.exe” /hide”
    • HKCUSoftwareMicrosoftWindowsCurrentVersionRunbraviax = “%System%braviax.exe”

The Trojan is also known as Trojan.Downloader.JMJA [BitDefender], Trojan-Downloader.Murlo [Ikarus], and TR/Dldr.Murlo.cba [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Murlo.CBA (Trojan) signature.[11,031,744 hits recorded starting September 19, 2009].


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.