FakeAV Downloader – CV spam (Sept 24, 2010)


SonicWALL UTM Research team observed a new wave of Resume spam campaign starting at noon today. The e-mails contain a zip archive attached which contains the malicious executable file inside it. This is different from the FakeAV html campaign that we reported last week.

Resume spam campaign involves e-mails pretending to contain CV document attached with the e-mail. This spam theme was last used by Bredolab authors back in July, 2010. SonicWALL UTM Research team has received more than 20,000 e-mail copies from this spam campaign so far and it is still going on.

Some of the E-mail subjects we have seen in this campaign so far:

  • The resume document is attached.
  • I have attached the resume.
  • Please find attached.
  • Enclosed please find.
  • Here’s that file that you wanted.
  • Enclosed is my CV for your consideration. Thanks

Sample e-mail messages looks like:


The zip archive attachment contains a malicious executable file – cv.exe which is a new variant of FakeAV Downloader Trojan. Upon execution, it leads to the download and installation of FakeAV malware[Antivirus Safebrowser] on the victim machine and asks for payment.


It attempts to connect to multiple malicious domains to download malware executables and related configuration files:

  • (REMOVED)lups.com/a/ad
  • (REMOVED)hamed.org/any3/5-direct.ex
  • (REMOVED)ndconvince.org/avt/avt_db
  • (REMOVED)ort.com/customers/getbuild.php

The following files are dropped onto the victim machine:

  • (User Favorites)_favdata.dat
  • (User Temp)asd94.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)asd95.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)asd96.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)asd97.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)eapp32hst.dll [Detected as GAV: ZPACK.GEN_187 (Trojan)]
  • (User Temp)wscsvc32.exe [Detected as GAV: Conficker.gen (Worm)]
  • (Program FilesAnViavt.db
  • (Program FilesAnViavt.exe [Detected as GAV: Kryptik.AT_7 (Trojan)]
  • (User Temp)dfrgsnapnt.exe [Detected as GAV: FraudLoad.XFUP (Trojan)]

If the user attempts to open any other legitimate executable file, the FakeAV malware will block the application launch and display a fake infection message as seen below for Calculator program:


As seen before in other FakeAV malware analysis, it subsequently starts scanning the system files and displays more fake infections prompting the user to purchase the application in order to clean up the infections.


SonicWALL Gateway AntiVirus provides protection against this FakeAV Downloader Trojan by GAV: Kryptik.AJD (Trojan) signature.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.