Spam from your Facebook account – (Apr 29, 2011)

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from Facebook abuse Department spreading in the wild. It involves the new variant of Oficla Trojan that SonicWALL blocked as GAV: Oficla.MME. This worm also downloads component files including mass mailer, info-stealer and FakeAV malware.

The sample e-mail format of the spam campaign includes the following:

Subject:

• Spam from your Facebook account
• Spam from your account
• Your password has been changed

Attachment: Attached_SecurityCode{Random Numbers}.zip

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

• Creates the process SVCHOST.EXE and injects its code.
• Deletes the original executable file

Downloads other malware:

• Application Datagog.exe – [ detected as GAV: FakeAV.MME (Trojan) ]
• %windir%system32aspimgr.exe – [ detected as GAV: Mailer.G (Trojan) ]
• %temp%Qojmytwjb.exe – [ detected as GAV: Mailer.G_2 (Trojan) ]
• %temp%grabbers – [ detected as GAV: Grabber.A (Trojan) ]

Dropped files:

• %windir%s32.txt
• %windir%ws386.ini
• %temp%_check32.bat
• Application Datainstall

Added Registry:

• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
  Value: Shell
  Data:”C:Documents and SettingsresearchApplication Datagog.exe”
• Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesaspimgr
  Value: ImagePath
  Data: %windir%System32aspimgr.exe

Network Activity:

HTTP GET Requests:

• http://campaign{REMOVED}ions.ru/connect/load.php
• http://campaign{REMOVED}hools.ru/connect/load.php
• http://campf{REMOVED}om.ru/connect/load.php
• http://camp{REMOVED}a.ru/connect/load.php

HTTP POST Requests:
This worm downloads a malware component that steals information from the system. It sends those information to this URL:

• http://campaign{REMOVED}ations.ru/connect/grabbers.php

DNS Requests:

• cl6{REMOVED}tart.ru
• hy{REMOVED}ys.ru
• ml6{REMOVED}art.ru
• 94.244.80.60

Mass Mailer

Checks for internet connectivity by connecting to the following sites
• www.yahoo.com
• www.web.de

Checks connectivity to SMTP servers by querying MX records as show below:

Collects e-mail addresses but ignores addresses with the following strings:

• abuse
• accoun
• admin
• anyone
• apache.org
• arachnoid
• -bugs
• ca.com
• caube
• cauce
• cauce.org
• certific
• -certs
• ci.el-paso.tx.us
• cloudmark.com
• digsigtrust
• e-trust
• example
• fraud
• gold-certs
• google
• ht.ht
• icrosof
• linux
• listserv
• mailwasher
• majordomo
• messagelabs
• mydomai
• nobody
• nodomai
• noone
• nothing
• paulgraham.com
• phishing
• postmaster
• privacy
• rating
• rx.t-online
• samples
• secur
• service
• somebody
• someone
• submit
• support
• symantec
• thawte
• the.bat
• valicert
• verisign
• verisign.com
• webmaster
• webroot.com

Information Stealing
Steals credentials from the following applications:

Poker Games:
• Full Tilt Poker
• Pacificpoker
• PartyPoker
• Titan Poker

FTP Clients:

• BitKinex
• Bullet Proof FTP
• BulletProof FTP Client 2009
• BulletProof FTP Client 2010
• ClassicFTP
• CoffeeCup FTP
• CuteFTP 6 Home
• CuteFTP 6 Professional
• CuteFTP 7 Home
• CuteFTP 7 Professional
• CuteFTP 8 Home
• CuteFTP 8 Professional
• CuteFTP Lite
• CuteFTP Pro
• CuteFTP
• Dev Zero G
• DirectFTP
• ExpanDrive
• FAR Manager FTP
• FTP Commander
• FTP Explorer
• FTPClient
• FTPRush
• FileZilla
• FlashFXP
• Fling
• Frigate3 FTP
• NetDrive
• SmartFTP
• Sota
• TurboFTP
• WS_FTP
• WebDrive

Web Browser

• Flock
• Google Chrome
• IE
• Mozilla
• Opera
• Safari
• Seamonkey
• ThuderBird

IM Clients

• AIM
• ICQ
• MSN
• Messenger-2
• Miranda
• Trillian
• Yahoo
• Vypress

Mail Clients

• Eudora
• Forte
• Mail Commander
• Mail.Ru
• POP Peeper
• PocoMail
• Windows Mail

Others

• Myspace
• Pandion
• Sipphone

FakeAV

After Installing the FakeAV application, it will show a Fake Microsoft Security Essentials Alert as seen below:



After Clicking the “Scan Online” Button, it will show this message and prompts for rebooting the system:



After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: FakeAV.MME (Trojan)
• GAV: Grabber.A (Trojan)
• GAV: Mailer.G (Trojan)
• GAV: Mailer.G_2 (Trojan)
• GAV: Oficla.MME (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.