Back to overview

Threat intelligence

McDonald's Free Dinner e-mail Leads to FakeAV (June 22, 2011)

by Security News

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from McDonalds Restaurants being spammed in the wild. This campaign includes subject about "McDonalds Free Dinner".

The sample e-mail format of the spam campaign includes the following:

Subject:

  • Come to us at our holiday of healthy and free food
  • Dont miss The Free Five-Course Dinner Day
  • Find the invitation to Free Day in the letter
  • Get a ticket for free helpings
  • Large free dish of five courses
  • Tasty and free food for each visitor
  • The Free Day holiday is here
  • The Free Dinner Day
  • The letter contains the ticket for free helpings
  • We are having the holiday of free food
  • We gift you a ticket to the day of free dishes

    •

Attachment: Invitation_Card{Random Numbers}.zip (22.9KB)

screenshot

The executable file masquerades as a Microsoft Word document by using an icon seen below:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Copies itself as %Startup%/dxdiag.exe [ detected as GAV: Obfuscator.PO_2 (Virus) ]
    Sets the time stamp as the same with ntdll.dll to hide itself from malware tools that checks for newly created files.
  • Deletes the original executable file

Downloads other malware:

  • Application Datagog.exe - [ detected as GAV: FakeAV.LSX (Trojan) ]

Dropped files:

  • Application Datacompletescan
  • Application Datact_start
  • Application Data1.gif
  • Application Datainstall
  • Application Datastart

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Data:"Application Datagog.exe"

Network Activity:

This malware steals system information and sends them to remote server every 96 seconds.

    User-Agent: Our_Agent

  • http://diamond{REMOVED}e2011.ru//forum/task.php?bid={VolumeInfo}&os={OS Version}&uptime=0&rnd={random number}

Once the remote server receives the system information, it will acknowledge it and reply with commands as follows:

  • download - download other malware
  • update - update itself

FakeAV

    This malware also downloads and installs FakeAV application. Once installed it will show a Fake Microsoft Security Essentials Alert as seen below:

    screenshot

    After Clicking the "Scan Online" Button, it will show this message and prompts for rebooting the system:

    screenshot

    After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.

    screenshot

    screenshot

    screenshot

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Obfuscator.PO_2
  • GAV: FakeAV.LSX (Trojan)
  • GAV: Zurgop.Z#email (Trojan)

screenshot

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.