McDonald's Free Dinner e-mail Leads to FakeAV (June 22, 2011)

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from McDonalds Restaurants being spammed in the wild. This campaign includes subject about “McDonalds Free Dinner”.

The sample e-mail format of the spam campaign includes the following:

Subject:

• Come to us at our holiday of healthy and free food
• Dont miss The Free Five-Course Dinner Day
• Find the invitation to Free Day in the letter
• Get a ticket for free helpings
• Large free dish of five courses
• Tasty and free food for each visitor
• The Free Day holiday is here
• The Free Dinner Day
• The letter contains the ticket for free helpings
• We are having the holiday of free food
• We gift you a ticket to the day of free dishes

Attachment: Invitation_Card{Random Numbers}.zip (22.9KB)

The executable file masquerades as a Microsoft Word document by using an icon seen below:

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

• Creates the process SVCHOST.EXE and injects its code.
• Copies itself as %Startup%/dxdiag.exe [ detected as GAV: Obfuscator.PO_2 (Virus) ] Sets the time stamp as the same with ntdll.dll to hide itself from malware tools that checks for newly created files.
• Deletes the original executable file

Downloads other malware:

• Application Datagog.exe – [ detected as GAV: FakeAV.LSX (Trojan) ]

Dropped files:

• Application Datacompletescan
• Application Datact_start
• Application Data1.gif
• Application Datainstall
• Application Datastart

Added Registry:

• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
  Value: Shell
  Data:”Application Datagog.exe”

Network Activity:

This malware steals system information and sends them to remote server every 96 seconds.

User-Agent: Our_Agent
• http://diamond{REMOVED}e2011.ru//forum/task.php?bid={VolumeInfo}&os={OS Version}&uptime=0&rnd={random number}

Once the remote server receives the system information, it will acknowledge it and reply with commands as follows:

• download – download other malware
• update – update itself

FakeAV

This malware also downloads and installs FakeAV application. Once installed it will show a Fake Microsoft Security Essentials Alert as seen below:



After Clicking the “Scan Online” Button, it will show this message and prompts for rebooting the system:



After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Obfuscator.PO_2
• GAV: FakeAV.LSX (Trojan)
• GAV: Zurgop.Z#email (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.