Wrong Hotel transaction spam campaign (July 28, 2011)


SonicWALL UTM Research team observed a new spam campaign pretending to be from known hotels like Embassy suites, Marriott, etc in the wild. The e-mail contains an apology note from Hotel’s reservation department listing details about a wrong transaction applied to your credit card. It further asks the user to download and fill out the refund form attached with the e-mail. The e-mail attachment is a zip file which contains a malicious Fake AV Downloader Trojan executable.

A sample e-mail message looks like:


A sample list of e-mail subjects showing various Hotels masqueraded in this campaign till now:


The executable file inside the zip attachment has an icon disguised as a Microsoft Excel file:


The file if executed will perform activity similar to what we have seen in previous variants:

  • Creates a process SVCHOST.EXE and injects code into it.
  • Reports the infected machine to a server on domain yomwar(REMOVED).ru by sending the following GET request:
    • GET /forum3/task.php?bid=a67a41eXXXXX23&os=5-1-2600&uptime=0&rnd=229125
  • Drops following files
    • (Startup)dxdiag.exe [Copy of itself that starts upon system re-boot and runs the Fake AV]
    • (Application Data)gL11000PgAgJ11000gL11000PgAgJ11000.exe [GAV: Fakesysdef.BDO (Trojan) downloaded from radio-80.com
    • ]

  • Deletes the original copy of the file.
  • Runs the downloaded new Fake AV Trojan variant which performs following activity after a 500 milisecond sleep:
    • Displays multiple fake infections in Rogue AV GUI
    • screenshot

    • Unlike previous Fake AV variants it does not hide the user program files but instead makes them unusable. It terminates any user initiated processes displaying a fake alert message
    • screenshot

    • Prompts user to purchase the full version in order to clean up the fake infections
    • screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

  • GAV: Injecter.GFY (Trojan)
  • GAV: Zbot.ASK_2 (Trojan)
  • GAV: Kryptik.QUV (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.