Financial spam campaigns on the rise (July 08, 2011)


SonicWALL UTM Research team continued to observe a increase in financial spam campaigns pretending to be from a credit card company. The email attempts to grab the reader’s attention by stating that their credit card bill is overdue. The attachment in the email purporting to be a financial statement is a newer variant of the FakeAV we analyzed earlier.

The spam campaign is shown below:


It performs the following activities when executed:

  • It creates the following files:
    • Start MenuProgramsStartupdxdiag.exe (Copy of itself) [Detected as GAV: Aspxor.Y (Trojan)]
    • WINDOWSsystem32aspimgr.exe [Detected as GAV: Danmec.E (Trojan)]
    • WINDOWSdvcbdt1.dll [Detected as GAV: Mufanom.BLDH (Trojan)]
    • %temp%rrtegggggggg[1].exe [Detected as GAV: FakeAV.AHV (Trojan)]
    • %temp%gggssgsdggg[1].exe [Detected as GAV: Mufanom.BLDH (Trojan)]
    • %temp%bibalabibabuba[1].exe [Detected as GAV: Aspxor.Z (Trojan)]
  • It reports new infection to a remote server:
    • GET /forum1/task.php?bid=462e39cb208270ad&os=5-1-2600&uptime=0&rnd=574609 HTTP/1.1
  • It downloads further files from a remote server using a custom user-agent string:
    • GET /forum1/load.php?module=grabbers HTTP/1.1
      User-Agent: Our_Agent
  • It creates the following registry entry to ensure infection on reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Ulazebebebag “rundll32.exe “C:WINDOWSdvcbdt1.dll”,Startup”
  • It displays fake scans and infections and prompts the user to purchase the product in order to clean their computer.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Oficla.FS (Trojan)
  • GAV: Oficla.FS#email (Trojan)
  • GAV: Aspxor.Y (Trojan)
  • GAV: Aspxor.Z (Trojan)
  • GAV: Danmec.E (Trojan)
  • GAV: Mufanom.BLDH (Trojan)
  • GAV: FakeAV.AHV (Trojan)


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.