US Postal Service Email Spam (Oct 21, 2011)

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from US Postal Service spreading in the wild. It contains the new variant of Dofoil Trojan that SonicWALL blocks as GAV: Dofoil.L. This worm also downloads other malware components including trojans and FakeAV malware.

The sample e-mail format of the spam campaign includes the following:

Subject:

• USPS Shipment Status IDxxxxxxxx
• USPS service. Get your parcel IDxxxxxxxx
• USPS Invoice copy IDxxxxxxxx
• USPS Tracking number IDxxxxxxxx

Attachment: Post_Label#id{Random Numbers}.zip

The ZIP file attachment contains the malicious executable that disguises itself with the use of Microsoft Word icon as shown below:

Example of the email spam:

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

• Creates the process SVCHOST.EXE and injects its code.
• Creates a copy of itself as %application data%csrss.exe and deletes the original executable file

Downloads other malware:

• %windir%system32msrepl40A.exe – [ detected as GAV: Swisyn.JYB (Trojan) ]
• %windir%system32wbcache8.exe – [ detected as GAV: Swisyn.JYB (Trojan) ]
• sl20.exe – [ detected as GAV: EncPk.WX_3 (Trojan) ]
• setup.exe – [ detected as GAV: Pirminay.ANW (Trojan) ]
• 574-01.exe – [ detected as GAV: FakeAlert.BHX (Trojan) ]
• sssss.exe – [ detected as GAV: Danmec.L (Trojan) ]

Added Registry:

• Key: HKEY_CURRENT_USERSoftwaregtwbetugt
  
• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
  Value: Epsilon Squared
  Data:”%Application Data%csrss.exe”
• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
  Value: TKYDMYTE
  Data:”C:WINDOWSSystem32wbcache8.exe”
• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
  Value: Dbft
  Data:”C:WINDOWSSystem32msrepl40A.exe”

Network Activity:

HTTP GET Requests:

• http://live{REMOVED}128.ru/m07/index.php
• http://suteki{REMOVED}disc.jp/walking-diet/
• http://image{REMOVED}ing.be/

DNS Requests:

• http://live{REMOVED}128.ru

Hosts File Modification:

This malware added the following entries to block access to torrent websites.

• 127.0.0.1 thepiratebay.org
• 127.0.0.1 www.thepiratebay.org
• 127.0.0.1 mininova.org
• 127.0.0.1 www.mininova.org
• 127.0.0.1 forum.mininova.org
• 127.0.0.1 blog.mininova.org
• 127.0.0.1 suprbay.org
• 127.0.0.1 www.suprbay.org

FakeAV

After Installing the FakeAV application, it will show a Fake Windows Error Alert as seen below:

Clicking the “Scan and fix” Button will scan for errors and show a fake result:

Clicking the “Fix Errors” button prompts the user to buy the fake security software.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Dofoil.L#email (Trojan)
• GAV: Dofoil.L (Trojan)
• GAV: Swisyn.JYB (Trojan)
• GAV: EncPk.WX_3 (Trojan)
• GAV: FakeAlert.BHX (Trojan)
• GAV: Danmec.L (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.