American Arlines Ticket Spam – XP Home Security 2012 (Dec 22, 2011)


The Sonicwall UTM research team discovered a new spam campaign spreading a well known FakeAV: XP Home Security 2012.

The Trojan spreads through email and arrives as a zipped email attachment purporting to be from American Airlines:

The Trojan uses the following icon in an attempt to masquerade as a harmless PDF file:

The Trojan performs the following DNS queries:

  • www.mortg{removed}.tv
  • refunados{removed}.ru
  • www.tria{removed}.org

The Trojan spawns and injects code into svchost.exe causing it to make the following HTTP GET request from a compromised remote webserver:

The Trojan downloads 1.exe, renames it to gio.exe and executes it. It uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:Documents and Settings{USER}Local SettingsApplication Datagio.exe [Detected as GAV: FakeAv.JICD (Trojan)]
  • C:Documents and Settings{USER}Application Datacsrss.exe [Detected as GAV: Bredo.T (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Data708j72l30qfte5ro4u62483b417elw [Detected as GAV: FakeAvCn.C (Trojan)]

The Trojan adds the following keys to the Windows registry:

  • HKEY_CLASSES_ROOTJ2shellopencommand “C:Documents and Settings{USER}Local SettingsApplication Datagio.exe” -a “%1” %*
  • HKEY_CLASSES_ROOT.exeshellopencommand “C:Documents and Settings{USER}Local SettingsApplication Datagio.exe” -a “%1” %*
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun “WinRAR SFX” “C:Documents and Settings{USER}Application Datacsrss.exe”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun “bieovju rundll32 C:DOCUME~1{USER}APPLIC~1MICROS~1Protectyxikrlc.n, dquc”

The Trojan deletes the following keys from the Windows registry to disable automatic updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv

The Trojan runs gio.exe using the following command line:

      C:Documents and Settings{USER}Local SettingsApplication Datagio.exe" -dtm -a

The Trojan pops up the following FakeAV windows in an attempt to fool the user into buying the software:

The Trojan blocks certain applications from running such as Task Manager, and Internet Explorer:

The Trojan was observed opening the following files and directories:

      C:Program FilesCommon FilesIpswitchWS_FTP*.*0x00
      C:Documents and Settings{USER}Application DataIpswitchWS_FTPSites*.*
      C:Documents and SettingsAll UsersApplication DataFlashFXP3Sites.dat
      C:Documents and Settings{USER}Application DataFileZillasitemanager.xml
      C:Documents and Settings{USER}Application DataFileZillarecentservers.xml

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Bredo.T (Trojan)
  • GAV: FakeAv.JICD (Trojan)
  • GAV: FakeAvCn.C (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.