Security News

Protection Center – Rogue AV (June 4, 2010)

By

SonicWALL UTM Research team observed reports of a new Rogue AV downloader being spammed in the wild using variety of email themes. The e-mail contains the downloader file inside the zip attachment. Below are the sample e-mails for each of these spam themes:

Campaign #1 – Online Order e-mail spam

Subject: Thank you for setting the oder No. [6-digits]

Attachment: label.zip (contains label.exe)

Email Body:
————————
Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was send at your address.
The tracking number of your postal parcel is indicated in the document
attached to this letter
Please print out the postal label for receiving the parcel.

Internet Store.
————————

The e-mail message looks like below:

    screenshot

Campaign #2 – Outlook Setup Notification email spam

Subject: Outlook Setup Notification

Attachment: outlookupdate.zip (contains outlookupdate.exe)

Email Body:
————————
You have (8) messages from Microsoft Outlook.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.
————————

The e-mail message looks like below:

    screenshot

Campaign #3 – Twitter Password e-mail spam

Subject: Reset your Twitter password

Attachment: password.zip (contains password.exe)

Email Body:
————————
Hey there.

Because of the measures taken to provide safety to our
clients, your password has been changed.
You can find your new password in attached document.

Yours,
Twitter=
————————

The e-mail message looks like below:

    screenshot

Rogue AV Installation

Once the user opens the zip attachment and execute the malicious file, the Trojan will download and install the Rogue AV from the following URLs:

  • http://(REMOVED).org/ms03/ad
  • http://(REMOVED).com/ms03/ad
  • http://(REMOVED).com/ms03/ad

    screenshot

    screenshot

Files Added:

  • Documents and Settings{User}Local SettingsTempwscsvc32.exe – GAV: Conficker.gen (Worm)
  • Documents and Settings{User}Local SettingsTempmscdexnt.exe – GAV: Conficker.gen (Worm)

  • Program FilesProtection Center
  • Program FilesProtection Centercntprot.exe – GAV: Conficker.gen (Worm)
  • Program FilesProtection Centercntext.dll – GAV: Conficker.gen (Worm)
  • Program FilesProtection Centercnthook.dll – GAV: Conficker.gen (Worm)

  • Documents and Settings{User}Start MenuProgramsProtection Center
  • Documents and Settings{User}Start MenuProgramsProtection CenterAbout.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterActivate.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterBuy.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterProtection Center Support.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterProtection Center.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterScan.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterSettings.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterUpdate.lnk

Registries Added:

    Auto Startup Entry
  • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Protection Center
    Data: “”C:Program FilesProtection Centercntprot.exe” -noscan”
    Disabling Task Manager
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    Value: DisableTaskMgr
    Data: dword:00000001
  • Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    Value: DisableTaskMgr
    Data: dword:00000001
    Shell Spawning
  • Key: HKEY_CLASSES_ROOT.exeshellopencommand
    Value: @
    Data: mscdexnt.exe /START “%1″ %*”
  • Key: HKEY_CLASSES_ROOTsecfileshellopencommand
    Value: @
    Data: mscdexnt.exe /START “%1″ %*”

Registries Modified:

  • Key: HKEY_CLASSES_ROOT.exe
    Value: @
    Original Data: “exefile”
    New Data: “secfile”

After installation, the Rogue AV will run and pretends to scan the whole system for any malware present. At the end of scanning it displays fake results indicating malware infection on the system. Shown below is the screenshot of the Fake detection result.

    screenshot

Once the user clicks the button to remove the threats, it will prompt for product activation which redirects the user to its payment portal.

    screenshot

    screenshot

SonicWALL Gateway AntiVirus provides protection against these spammed Rogue AV variants via following signatures:

  • GAV: Suspicious#polycrypt.12 (Worm) – (5,996,197 hits)
  • GAV: Suspicious#fakeav_4 (Trojan) – (339,789 hits)
  • GAV: FakeAV.DN (Trojan)
  • GAV: Conficker.gen (Worm)

screenshot

screenshot

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
TOTOLINK A3000RU Command Injection
Apache Range Header Processing DoS (Sep 1, 2011)
The Android banker Marcher continues to evolve
Microsoft Security Bulletin Coverage for February 2022
Oracle DBMS_CDC_PUBLISH SQL Injection (April 29, 2010)
Microsoft Security Bulletin Coverage for October 2019
MS Outlook ATTACH_BY_REFERENCE (July 16, 2010)
Voidcrypt ransomware actively spreading in the wild