Drive-by download leads to Backdoor Trojan (May 11, 2011)


SonicWALL UTM Research team discovered instances of malicious java applets being used to perform drive-by download of malware. The malware is downloaded and excuted without any user interaction once the applet executes. The downloaded malware was found reporting system information back to a remote server and it also creates a backdoor on the victim’s machine. When a user visits a malicious domain hosting the applet it runs as seen below:


The applet is unsigned and prompts for the user’s permission to run. If the user proceeds and runs the applet it downloads a file silently and executes it. The downloaded executable performs the following activities:

  • It creates the following copies of the same file:
    • %appdata%DocumentWriter.exe [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%privzate.exe [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%6858.jpg [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%51156.jpg [Detected as GAV: VB.SGQ (Trojan)]

  • It creates the following registry entry to ensure that it runs on every system reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:”%appdata%DocumentWriter.exe”
  • It determines the public IP address by performing the following HTTP request to
    • GET /v2/ip_query_country.php?key=1d1bb511aed00402daada8d8706f74b477e3172d0ca020deab3b43c16441a73d&timezone=off

  • It creates a backdoor listening on TCP port 1232
  • It sends information back to a remote server such as version, infection date, IP address, OS information and screenshots
  • screenshot

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

GAV: ClsDLod.A ( Trojan )
GAV: ClsDLod.A_2 ( Trojan )
GAV: VB.SGQ (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.