Fake McAfee E-mail protection tool – Banker Trojan (Apr 15, 2010)
SonicWALL UTM Research team discovered a new Banker Trojan spam theme involving fake McAfee E-mail Protection alerts. The e-mail for the instance we saw is in Portuguese and it warns the user about a computer virus infection.
The e-mail pretends to arrive from McAfee E-Mail Protection and informs the user about his computer being infected with a virus – Worm/Delf.JBH that is sending out malicious emails to all the contacts found on the computer. It further warns the user that the e-mail account will be permanently blocked if the virus is not removed and offers the user to download a fake cleanup tool from McAfee E-mail protection via a URL in the email. If the user clicks on the URL it leads to the download of the new Banker Trojan variant.
The e-mail message looks like:
The downloaded fake McAfee E-mail protection cleanup tool looks like:
If the user runs the malicious executable file, it performs the following activities:
- Downloads and executes two malicious executables files which are also Information stealing Trojan variants:
- www.te(REMOVED)di.com/union/u6.jpg => C:sshs.exe [Detected as GAV: Delf_150 (Trojan)]
- www.te(REMOVED)di.com/union/u7.jpg => C:ksso.exe [Detected as GAV: Hupigon_804 (Trojan)]
Both the files are compressed with PECompact v2 packer. The site hosting these files appears to be compromised as shown below:
- The above executable files harvests e-mail addresses and logs other sensitive information on the victim machine and sends the stolen data via POST requests to a malicious domain.
SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Banker.BXQ_3 (Trojan) signature.
