Defense Center – Rogue AV (June 25, 2010)
SonicWALL UTM Research team found instances of a new Rogue AV downloader being spammed in the wild with the theme “Statement of Fees”. The e-mail contains the downloader file inside the zip attachment.
Below is a sample e-mail:
Email Campaign – Statement of Fees
Subject: Statement of fees 2010
Attachment: Statement_of_Fees_2010.DOC.zip (contains Statement_of_Fees_2010.DOC.exe)
Email Body:
————————
Please find attached a statement of fees as
requested, this will be posted today.
The accomodation is dealt with by another
section and I have passed your request on to them
today
Kind regards.
{email sender}
————————
The e-mail message looks like below:
Malicious executable file inside the zip attachment disguise itself as a document file via Microsoft Word icon:
Once the user runs the executable file, the Trojan will download and install the Rogue AV from the following URLs:
- http://(REMOVED)fic.com/ms04/ad
- http://(REMOVED)can.com/ms04/ad
- http://(REMOVED)kol.com/ms04/ad
Prior to downloading the Rogue AV, it will first do the following system activities:
- To ensure that only one intance of this downloader runs in the memory, it creates a mutex: AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9
- Adds the following in the registry:
Key: [HKEY_CURRENT_USERPrintersConnections] Data: “subid”=”landing”
Data: “affid”=”396” - Creates the file _favdata.dat at Documents and SettingsAll UsersFavorites folder with the following content:
386
landing - Verifies that the location of the user is not in the following list before continuing its installation:
– Azerbaijan
– Belarus
– Czech Republic
– Kazakhstan
– Kyrgyzstan
– Poland
– Russia
– Ukraine
– Uzbekistan
Rogue AV Installation
- (Temp)wscsvc32.exe – GAV: Conficker.gen (Worm)
- (Temp)autmgr32.exe – GAV: Tibs.JF (Trojan)
- (Program Files)Defense Center
- (Program Files)Defense Centerdefcnt.exe – GAV: Conficker.gen (Worm)
- (Program Files)Defense Centerdefext.dll – GAV: Conficker.gen (Worm)
- (Program Files)Defense Centerdefhook.dll – GAV: Conficker.gen (Worm)
- Documents and Settings{User}Start MenuProgramsDefense Center
- Documents and Settings{User}Start MenuProgramsDefense CenterAbout.lnk
- Documents and Settings{User}Start MenuProgramsDefense CenterActivate.lnk
- Documents and Settings{User}Start MenuProgramsDefense CenterBuy.lnk
- Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center Support.lnk
- Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center.lnk
- Documents and Settings{User}Start MenuProgramsDefense CenterScan.lnk
- Documents and Settings{User}Start MenuProgramsDefense CenterSettings.lnk
- Documents and Settings{User}Start MenuProgramsDefense CenterUpdate.lnk
- Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
Value: Defense Center
Data: “”C:Program FilesDefense Centerdefcnt.exe” -noscan” - Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
Value: DisableTaskMgr
Data: dword:00000001 - Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
Value: DisableTaskMgr
Data: dword:00000001 - Key: HKEY_CLASSES_ROOT.exeshellopencommand
Value: @
Data: autmgr32.exe /START “%1″ %*” - Key: HKEY_CLASSES_ROOTsecfileshellopencommand
Value: @
Data: autmgr32.exe /START “%1″ %*” - Key: HKEY_CLASSES_ROOT.exe
Value: @
Original Data: “exefile”
New Data: “secfile” - GAV: TDSS.BHKV (Trojan) – (6,204 hits)
- GAV: Tibs.JF (Trojan)
- Tdss.BEEA_2 (Trojan))
- GAV: Conficker.gen (Worm)
Files Added:
Registries Added:
- Auto Startup Entry
- Disables Task Manager
- Shell Spawning
Registries Modified:
After installation, the Rogue AV will pretend to perform full system scan for any malware infection. At the end of scanning it displays fake results indicating malware infection on the system:
Once the user clicks the button to remove the threats, it will prompt for product activation which redirects the user to its payment portal.
SonicWALL Gateway AntiVirus provides protection against these spammed Rogue AV variants via following signatures:
