Million dollar Tax draw spam leads to Banker Trojan (Feb 10, 2012)


SonicWALL UTM Research team found a new Banking Trojan variant being spammed heavily over the past three days. The spammed e-mail pretends to contain a Bank form asking the user to confirm an ACH transfer worth one million dollars. The zipped attachment in the email actually contains a malicious executable file that uses Right-To-Left override technique to present itself as a document file.

SonicWALL Research team have captured more than 2000 copies of e-mail from this spam campaign in past 48 hours. Below are some sample messages:


The malicious executable found in the zipped attachments looks like:


Upon execution, it performs the following activities:

  • Drops a copy of itself and runs it:

    • (Application Data)KB00903122.exe [Detected as GAV: Injector.NYF (Trojan)]
  • Registry modifications:

    • HKUUserIDSoftwareMicrosoftWindows Media Center [Uses this key to save banking site list and script to inject]
    • HKUUserIDSoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline: 0x00000000
    • HKUUserIDSoftwareMicrosoftWindowsCurrentVersionRunKB00903122.exe: “”(Application Data)KB00903122.exe””
  • Connects to a remote server to send victim machine’s information and receives a list of banking sites & script to inject:
     			POST /rwx/B1_3n9/in/ HTTP/1.1 			Host:			 		


SonicWALL Gateway AntiVirus provides proactive protection against this spam campaign via following signature:

  • GAV: Injector.NYF (Trojan)
  • GAV: Suspicious#rtol.dc (Trojan)


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.