The Sonicwall UTM research team received reports of a new Spam compaign purported to come from Canada Post Corporation. The Trojan spreads by using an email that attempts to trick the user into downloading a delivery status PDF file.
Below is a screenshot of the email:
The email provides fake canada post URLs, one of which leads to the download of the Trojan www.magya{removed}.net/trkEE710410485CN.pif
Once downloaded and run, the Trojan injects code into C:WINDOWSSystem32wuauclt.exe and runs it.
The Trojan adds the following files to the filesystem:
The Trojan adds the following key to the windows registry to enable startup after reboot:
The Trojan makes the following DNS requests:
The Trojan was observed posting potentially sensitive encrypted system information to a remote web server:
The Trojan was also observed making the following request to download additional malware from a remote web server:
The downloaded file mYhY8A9.exe is saved as: C:Documents and Settings{USER}Local SettingsTemp0114714.tmp
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
Share This Article
An Article By
An Article By
Security News
Security News