FakeAV spam campaign continues with Smart Protection 2012 (Feb 24, 2012)

The Sonicwall UTM research team has observed a recent continued FakeAV spam campaign effort. The underlying malware used is similar to that of a previous sonicalert. The FakeAV being spammed is named Smart Protection 2012 and uses the usual scare tactics to encourage the user to buy a license to disinfect the system.

The Trojan spreads through an email purported to be from FedEX Services. It requests the user to open and run the attachment that contains the Trojan:

The Trojan uses the following icon to masquerade as a harmless PDF file:

Upon infection, the Trojan makes the following changes to the file system:

It copies itself to:

• C:Documents and Settings{USER}Application Data81732E.exe

It creates the following files:

• C:Documents and Settings{USER}Local Settingstemp311.tmp
• C:Documents and Settings{USER}Local Settingstemp312.tmp

It adds the following key to the Windows registry to enable startup after reboot:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun Intel "C:Documents and Settings{USER}Application Data81732E.exe"

The Trojan makes the following DNS requests:

• www.google.com
• tropic18854.ru
• www.alphonsgunther.com
• www.m-land.hu
• www.mercierautos.ca

The Trojan downloads 1.exe from a remote webserver. It saves and runs it as 311.tmp and 312.tmp.

The Trojan was observed sending potentially sensitive encrypted system information to a remote webserver:

The Trojan Pops up the following windows upon infection:

The Trojan will display fake infection results:

If the "Remove all threats now" button is pressed it will display the following payment page:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: FakeAV.A_4 (Trojan)
• GAV: Winwebsec.AQUR_4 (Trojan)