Fake McAfee E-mail protection tool – Banker Trojan (Apr 15, 2010)


SonicWALL UTM Research team discovered a new Banker Trojan spam theme involving fake McAfee E-mail Protection alerts. The e-mail for the instance we saw is in Portuguese and it warns the user about a computer virus infection.

The e-mail pretends to arrive from McAfee E-Mail Protection and informs the user about his computer being infected with a virus – Worm/Delf.JBH that is sending out malicious emails to all the contacts found on the computer. It further warns the user that the e-mail account will be permanently blocked if the virus is not removed and offers the user to download a fake cleanup tool from McAfee E-mail protection via a URL in the email. If the user clicks on the URL it leads to the download of the new Banker Trojan variant.

The e-mail message looks like:




The downloaded fake McAfee E-mail protection cleanup tool looks like:


If the user runs the malicious executable file, it performs the following activities:

  • Downloads and executes two malicious executables files which are also Information stealing Trojan variants:
    • www.te(REMOVED)di.com/union/u6.jpg => C:sshs.exe [Detected as GAV: Delf_150 (Trojan)]
    • www.te(REMOVED)di.com/union/u7.jpg => C:ksso.exe [Detected as GAV: Hupigon_804 (Trojan)]

    Both the files are compressed with PECompact v2 packer. The site hosting these files appears to be compromised as shown below:


  • The above executable files harvests e-mail addresses and logs other sensitive information on the victim machine and sends the stolen data via POST requests to a malicious domain.

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Banker.BXQ_3 (Trojan) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.