Conflicker.B Infection Alert – New FakeAV variant (Oct 23, 2009)
SonicWALL UTM Research team observed a new spam campaign that uses a fake Conficker worm infection alert theme to infect users with new FakeAV Trojan variant.
The email pretends to arrive from Windows computer safety division, contains a fake Conficker worm infection alert and asks the user to run the attached scanner file. The e-mail attachment is a ZIP archive that contains the new FakeAV Trojan variant.
The e-mail looks like:
Subject: Conflicker.B Infection Alert [Notice that Conficker is incorrectly spelled as Conflicker]
Attachment: install.zip (contains install.exe)
Email Body:
————————
Dear Microsoft Customer,
Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.
To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.
Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.
Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division
————————
The e-mail message looks like below:
SonicWALL has received more than 60,000 copies of this spam e-mails till now which had more than 10 distinct attachment payloads.
The malicious executable inside the attachment looks like:
If the user downloads and executes the attached scanner file, it performs activities similar to the previous variant for which a SonicAlert was published here – Postcard Spam:
- It tries to connect to a arbitrary domain from a predetermined list to download a new Rogue Antivirus application. The run-time memory dump image of the malware shows the URLs that it attempts to connect via HTTP:
- Creates following files:
- (Program Files)AntivirusPro_2010AntivirusPro_2010.exe
- (Program Files)AntivirusPro_2010AVEngn.dll
- (AppData)seres.exe
- (AppData)svcst.exe
[Detected as GAV: Vilsel.IJR (Trojan)]
[Copy of itself]
[Copy of itself]
- Ensures that malicious executables run every time Windows restart by making following Registry modifications:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunAntivirus Pro 2010 = “”(Program Files)AntivirusPro_2010AntivirusPro_2010.exe” /hide”
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunmserv = “(AppData)seres.exe”
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunsvchost = “(AppData)svcst.exe”
- It opens up a Windows notification indicating that Windows has detected spyware infection as seen below:
- If the user clicks on the notification window, it executes AntivirusPro_2010.exe that it downloaded from remote site:
The Trojan is also known as W32/FakeRean.E [F-Prot], Adware/AntivirusPro2010 [Panda], and TrojanDownloader:Win32/FakeRean [Microsoft].
SonicWALL Gateway AntiVirus provided proactive protection against multiple variants of this malware via GAV: FakeAV.DW (Trojan) signature [Total hits recorded since release of signature:12,581,546 ].
