Fake Canada Post Spam campaign leads to Trojan (Jan 20, 2012)
The Sonicwall UTM research team received reports of a new Spam compaign purported to come from Canada Post Corporation. The Trojan spreads by using an email that attempts to trick the user into downloading a delivery status PDF file.
Below is a screenshot of the email:
The email provides fake canada post URLs, one of which leads to the download of the Trojan www.magya{removed}.net/trkEE710410485CN.pif
Once downloaded and run, the Trojan injects code into C:WINDOWSSystem32wuauclt.exe and runs it.
The Trojan adds the following files to the filesystem:
- C:Documents and SettingsAll UsersLocal SettingsTempeldf1dff000f1071.exe [Detected as GAV: Injector.NDP_2 (Trojan)]
- C:Documents and Settings{USER}Local SettingsTemp 0114714.tmp [Detected as GAV: Injector.NDP_6 (Trojan)]
The Trojan adds the following key to the windows registry to enable startup after reboot:
The Trojan makes the following DNS requests:
- www.goo{removed}n.net
- www.poli{removed}
The Trojan was observed posting potentially sensitive encrypted system information to a remote web server:
The Trojan was also observed making the following request to download additional malware from a remote web server:
The downloaded file mYhY8A9.exe is saved as: C:Documents and Settings{USER}Local SettingsTemp 0114714.tmp [Detected as GAV: Injector.NDP_6 (Trojan)]
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Injector.NDP (Trojan)
- GAV: Injector.NDP_2 (Trojan)
- GAV: Injector.NDP_3 (Trojan)
- GAV: Injector.NDP_4 (Trojan)
- GAV: Injector.NDP_6 (Trojan)
- GAV: Injector.KLH (Trojan)