Wrong Hotel transaction spam campaign (July 28, 2011)
SonicWALL UTM Research team observed a new spam campaign pretending to be from known hotels like Embassy suites, Marriott, etc in the wild. The e-mail contains an apology note from Hotel’s reservation department listing details about a wrong transaction applied to your credit card. It further asks the user to download and fill out the refund form attached with the e-mail. The e-mail attachment is a zip file which contains a malicious Fake AV Downloader Trojan executable.
A sample e-mail message looks like:
A sample list of e-mail subjects showing various Hotels masqueraded in this campaign till now:
The executable file inside the zip attachment has an icon disguised as a Microsoft Excel file:
The file if executed will perform activity similar to what we have seen in previous variants:
- Creates a process SVCHOST.EXE and injects code into it.
- Reports the infected machine to a server on domain yomwar(REMOVED).ru by sending the following GET request:
- GET /forum3/task.php?bid=a67a41eXXXXX23&os=5-1-2600&uptime=0&rnd=229125
- Drops following files
- (Startup)dxdiag.exe [Copy of itself that starts upon system re-boot and runs the Fake AV]
- (Application Data)gL11000PgAgJ11000gL11000PgAgJ11000.exe [GAV: Fakesysdef.BDO (Trojan) downloaded from radio-80.com
]
- Deletes the original copy of the file.
- Runs the downloaded new Fake AV Trojan variant which performs following activity after a 500 milisecond sleep:
- Displays multiple fake infections in Rogue AV GUI
- Unlike previous Fake AV variants it does not hide the user program files but instead makes them unusable. It terminates any user initiated processes displaying a fake alert message
- Prompts user to purchase the full version in order to clean up the fake infections
SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:
- GAV: Injecter.GFY (Trojan)
- GAV: Zbot.ASK_2 (Trojan)
- GAV: Kryptik.QUV (Trojan)
