FakeXvid.A – Increase in drive-by infections (May 20, 2011)
The SonicWALL UTM research team has seen a sudden increase in drive-by infection malware. Such infection takes place simply by visiting a website that uses a known browser exploit. Some of these websites are hosted on legitimate servers that have been compromised.
The Trojan is being actively spammed via e-mails containing malicious links:
The link in the email directs the user to a malicious website pretending to host a video that requires the XVID codec:
The website page contains an iframe HTML tag that causes the download of a malicious PDF file:
The PDF file employs a known (heap spray) exploit to run malicious code. The code decrypts and runs a script. This script downloads and runs setup.exe [Detected as Kryptik.NTI_3 (Trojan)]:
The webpage will also initiate the download of XvidSetup.exe [Detected as FakeXvid.A (Trojan)]:
The Trojan performs the following DNS queries:
- smtp.mail.ru
The Trojan creates the following files on the filesystem:
- C:Documents and Settings{USER}Local SettingsTempsetup.exe [Detected as GAV: Kryptik.NTI_3 (Trojan)]
- C:Documents and Settings{USER}Local SettingsTemporary Internet FilesContent.IE5SL2VSXQV37dbbd[2].pdf [Detected as GAV: Pdfka.OSQ (Trojan)]
The Trojan creates the following key in the Windows registry:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun AutoStart “C:DOCUME~1{USER}LOCALS~1Tempsetup.exe”
SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: FakeXvid.A (Trojan)
- GAV: Kryptik.NTI_3 (Trojan)
- GAV: Pdfka.OSQ (Trojan)
