Postcard spam – New FakeAV Trojan (Oct 16, 2009)

SonicWALL UTM Research team observed a new wave of the Postcard spam campaign during last three days.

The email pretends to arrive from 123Greetings.com and contains an e-card as an attachment. The e-mail attachment is a ZIP archive that contains the new FakeAV Trojan variant.

The e-mail looks like:

Subject: You’ve received a postcard

Attachment: ecard.zip (contains ecard.exe)

Email Body:
————————
Good day.

Your family member has sent you an ecard from 123greetings.com.

Send free ecards from 123greetings.com with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days.

If you wish to keep the ecard longer, you may save it on your computer or take a print.

To view your ecard, open zip attached file.
————————

The e-mail message looks like below:

The e-mail body remained the same but the attachment payload kept changing every few hours in last 3 days. SonicWALL has received more than 50,000 copies of this spam e-mails till now which had more than five distinct attachment payloads.

The malicious executable inside the attachment looks like:

If the user downloads and executes the attached ecard, it performs following activities:

• It tries to connect to a arbitrary domain from a predetermined list to download a new Rogue Antivirus application. The run-time memory dump image of the malware shows the URLs that it attempts to connect via HTTP:

  

• Creates following files:
  • (Program Files)AntivirusPro_2010AntivirusPro_2010.exe

  [Detected as GAV: Vilsel.IJR (Trojan)]

  • (Program Files)AntivirusPro_2010AVEngn.dll
  • (AppData)seres.exe
  • (AppData)svcst.exe
• Ensures that malicious executables run every time Windows restart by making following Registry modifications:
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunAntivirus Pro 2010 = “”(Program Files)AntivirusPro_2010AntivirusPro_2010.exe” /hide”
  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunmserv = “(AppData)seres.exe”
  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunsvchost = “(AppData)svcst.exe”
• It opens up a Windows notification indicating that Windows has detected spyware infection as seen below:

  

• If the user clicks on the notification window, it executes AntivirusPro_2010.exe that it downloaded from remote site:

  

The Trojan is also known as W32/FakeRean.A [F-Prot], Rogue:W32/Agent.MCF [F-Secure], and Generic FakeAlert!cr [McAfee].

SonicWALL Gateway AntiVirus provided proactive protection against multiple variants of this malware via GAV: Kryptik.ASA_2 (Trojan) signature [Total hits recorded in last 3 days:6,937,170 ].

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.