FakeXvid.A – Increase in drive-by infections (May 20, 2011)


The SonicWALL UTM research team has seen a sudden increase in drive-by infection malware. Such infection takes place simply by visiting a website that uses a known browser exploit. Some of these websites are hosted on legitimate servers that have been compromised.

The Trojan is being actively spammed via e-mails containing malicious links:

The link in the email directs the user to a malicious website pretending to host a video that requires the XVID codec:


The website page contains an iframe HTML tag that causes the download of a malicious PDF file:

The PDF file employs a known (heap spray) exploit to run malicious code. The code decrypts and runs a script. This script downloads and runs setup.exe [Detected as Kryptik.NTI_3 (Trojan)]:

The webpage will also initiate the download of XvidSetup.exe [Detected as FakeXvid.A (Trojan)]:

The Trojan performs the following DNS queries:

  • smtp.mail.ru

The Trojan creates the following files on the filesystem:

  • C:Documents and Settings{USER}Local SettingsTempsetup.exe [Detected as GAV: Kryptik.NTI_3 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTemporary Internet FilesContent.IE5SL2VSXQV37dbbd[2].pdf [Detected as GAV: Pdfka.OSQ (Trojan)]

The Trojan creates the following key in the Windows registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun AutoStart “C:DOCUME~1{USER}LOCALS~1Tempsetup.exe”

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: FakeXvid.A (Trojan)
  • GAV: Kryptik.NTI_3 (Trojan)
  • GAV: Pdfka.OSQ (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.