Desktop Security 2010 – Rogue AV (May 6, 2010)


SonicWALL UTM Research team observed reports of a new Rogue AV downloader being spammed in the wild since yesterday via Invoice e-mail spam and Ecard e-mail spam campaigns. The Downloader Trojan arrives as an e-mail attachment or gets downloaded via a URL in the e-mail.

Campaign #1 – Transaction Invoice e-mail spam

Subject: Your transaction has been processed

Attachment: (contains invoice.exe)

Email Body:
Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
And will inform you about delivery.
Amazon Team

The e-mail message looks like below:


Campaign #2 – Ecard e-mail spam

Subject: You Have Received a Greeting Card

Attachment: none

Email Body:
Good day.
You have received an eCard

To pick up your eCard, click on the following link (or copy & paste it
into your web browser):


Your card will be available for pick-up beginning for the next 30
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

The e-mail message looks like below:


When the user clicks the URL, it will lead to this Google Groups page pointing to the Rogue AV downloader.


Installs itself as the following files and could use different file names per every infection:

  • Program FilesCommon FilesMicrosoft SharedDWApplicationReporting.exe – (151,040 bytes)
  • Program FilesCommon FilesMicrosoft SharedDW1033WindowsTMOperating.exe- (151,040 bytes)
  • Program FilesCommon FilesMicrosoft SharedDW1036ErrorMicrosoft.exe – (151,040 bytes)
  • Program FilesWindows NTAccessoriesWindowsMicrosoft.exe – (151,040 bytes)
  • Program FilesOnline ServicesProvidersRefer.exe – (151,040 bytes)

It attempts to connect to and downloads Desktop Security 2010 Installer vi following HTTP request:

  • GET Request: GET /getfile.php?r={random 10 digits character}&p={REMOVED}=

Installs the Desktop Security 2010 Rogue AV as seen below:



Registry Changes

    Added Registry

  • Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun>
    Value: TCPViewSysinternals
    Data: “C:Documents and Settings(UserName)Desktopinvoice.exe”

    Value: SAPI5WindowsTM
    Data: “c:program filescommon filesmicrosoft sharedspeech1033windowstmoperating.exe”

  • Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices
    Value: DWIntl20Application
    Data: “Program FilesCommon FilesMicrosoft SharedDW1036ErrorMicrosoft.exe”

    Value: wordpadWindows
    Data: “Program FilesWindows NTAccessoriesWindowsMicrosoft.exe”

    Value: NotificationsSubscriber
    Data: “Program FilesCommon FilesMicrosoft SharedDWApplicationReporting.exe”

    Value: moreInternet
    Data: “Program FilesOnline ServicesProvidersRefer.exe”

  • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Desktop Security 2010
    Data: “Application DataDesktop Security 2010Desktop Security 2010.exe” /STARTUP

    Value: SecurityCenter
    Data: “Application DataDesktop Security 2010securitycenter.exe”

  • Key: HKCUSoftwareMicrosoftWindowsCurrentVersionUninstallDesktop Security 2010
    Value: DisplayName
    Data: “Desktop Security 2010”

    Value: UninstallString
    Data: “Application DataDesktop Security 2010securityhelper.exe” /UNINSTALL

    Value: DisplayIcon
    Data: “Application DataDesktop Security 2010securityhelper.exe”,1

Remote Server Connection:

    This Rogue AV tries to connect to remote server and reports back system information and installation logs. Shown below is sample data sent to the server:


SonicWALL Gateway AntiVirus provided protection against these spammed Rogue AV variants via following signatures:

  • GAV: FakeAlert.GEN_6 (Trojan)- (3 million hits recorded till now)
  • GAV: FakeAV.DH (Trojan)


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.