Fake Canada Post Spam campaign leads to Trojan (Jan 20, 2012)

The Sonicwall UTM research team received reports of a new Spam compaign purported to come from Canada Post Corporation. The Trojan spreads by using an email that attempts to trick the user into downloading a delivery status PDF file.

Below is a screenshot of the email:

The email provides fake canada post URLs, one of which leads to the download of the Trojan www.magya{removed}.net/trkEE710410485CN.pif

Once downloaded and run, the Trojan injects code into C:WINDOWSSystem32wuauclt.exe and runs it.

The Trojan adds the following files to the filesystem:

• C:Documents and SettingsAll UsersLocal SettingsTempeldf1dff000f1071.exe
• C:Documents and Settings{USER}Local SettingsTemp0114714.tmp

The Trojan adds the following key to the windows registry to enable startup after reboot:

The Trojan makes the following DNS requests:

• www.goo{removed}n.net
• www.poli{removed}

The Trojan was observed posting potentially sensitive encrypted system information to a remote web server:

The Trojan was also observed making the following request to download additional malware from a remote web server:

The downloaded file mYhY8A9.exe is saved as: C:Documents and Settings{USER}Local SettingsTemp0114714.tmp

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Injector.NDP (Trojan)
• GAV: Injector.NDP_2 (Trojan)
• GAV: Injector.NDP_3 (Trojan)
• GAV: Injector.NDP_4 (Trojan)
• GAV: Injector.NDP_6 (Trojan)
• GAV: Injector.KLH (Trojan)