Spam campaign roundup: The Valentines Day Edition (Feb 13, 2015)


With Valentine’s Day just around the corner and people search for the perfect gift for their loved ones, cybercriminals has been busy distributing an increasing amount of Valentine’s day related spam to users with links to fake advertisements, online offers, and even photos or videos.

Over the last week, the Dell SonicWALL threats research team has been tracking down all Valentine’s Day related spam emails.

Figure 1: Number of spam emails recevied per day

As Valentine’s Day approaches, we are seeing an increasing amount of spam emails with links to phony florists or online retailer who promise a deal without the guarantee of ever receiving the products or services. Below are some of the most common email subjects:

  • Valentine’s Day is unforgettable with stunning roses. 25% off!
  • Your new love life is waiting for you
  • Fall in love with these prices
  • Achieve tips to unleash your love life
  • Valentine’s Flowers: Save 50% Today! Order Now
  • Coolest iPhone Accessory / Valentine’s Gift / GPS Tracking. Only 1000 Left.
  • Bouquets of Love 25% off
  • Valentine’s Day SALE STARTS NOW! Extra 90% Off + Ray Ban

Some emails provide links to photos, videos or online greetings that a “loved one” or a “secret admirer” might have left for you. Clicking these links often lead to survey scam, phishing sites or even malware.

Figure 2: Sample Spam Emails

For others that turn to the internet for something they can do instantly and finding an inexpensive last-minute idea like sending an e-card, cybercriminals have also got that covered. Searching online for free personalized Valentine’s card will turn up with links to compromised websites that host malicious applications.

Figure 3: Example of a link to a compromised website

Clicking on the link will redirect to a website that will ask the user to download an application that will supposedly install an e-card maker. The installers may use the following variation of filenames:

  • Valentine photo card maker_10924_i31536652_il345.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]
  • Valentine_Photo_Card_Maker_downloader.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]
  • Templates_For_Photo_Card_Maker_downloader.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]

Infection Cycle:

Upon execution, the Trojan will then silently download additional malware components.

Figure 4: Trojan sends an HTTP GET request to download additional components

The user will also be prompted to agree to install applications different from what was intended to be installed.

Figure 5: User prompt to install Internet Optimizer

We observed several other adwares being downloaded and silently installed on the system.

Figure 6: Example of several HTTP GET requests to download additional malware

The downloaded malware components are copied to the following directory:

  • %TEMP%7BlLXcbJeA.exe [Detected as GAV: Badur.FDSP (Trojan)]
  • %TEMP%aCp6I5CqLt.exe [Detected as GAV: Tuto4PC.A_7 (Adware)]
  • %TEMP%bFtBuOwbCT.exe [Detected as GAV: Swiftbrowse.A_3 (Adware)]
  • %TEMP%UnfBln5TIv.exe [Detected as GAV: Swiftbrowse.A_3 (Adware)]
  • %TEMP%HRdM16yyj6.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %TEMP%bes29A3.exe SPY: [Detected as SPY: OfferInstaller.A (Adware)]
  • %TEMP%BackupSetup.exe: [Detected as GAV: MyPcBackup.A_2 (Adware)]
  • %TEMP%PAqKNEvlB5.exe [Detected as GAV: DownloadMR.A_20 (Trojan)]

The following files were silently installed into the following directories:

  • %PROGRAMFILES%MyPC BackupBackupStack.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupConfiguration Updater.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupSignup Wizard.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupUpdater.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupMyPC Backup.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupService Start.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupSignupWizard.dll [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupBackupStackUI.dll [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptimizerPro.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProGuard.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProHelper.dll [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProLauncher.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProReminder.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProSchedule.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProSmartScan.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProStart.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProUninstaller.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%ospd_us_835ospd_us_835.exe [Detected as GAV: Tuto4PC.A_7 (Adware)]
  • %PROGRAMFILES%Pinner for PinterestPinner for Pinterest.exe [Detected as GAV: DigiPlug.A_2 (Adware)]
  • %PROGRAMFILES%PricceeLessrUiCnUMEjQbrDn.exe [Detected as GAV: DigiPlug.A_2 (Adware)]
  • %PROGRAMFILES%PricceeLessrUiCnUMEjQbrDn.dll [Detected as GAV: MultiPlug.H_20 (Adware)]
  • %PROGRAMFILES%YoutubeadblockerNIiczbdjsU56cu.exe [Detected as GAV: DigiPlug.A_2 (Adware)]
  • %PROGRAMFILES%YoutubeadblockerNIiczbdjsU56cu.dll [Detected as GAV: MultiPlug.H_20 (Adware)]
  • %PROGRAMFILES%SmileFilesdownloader.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]
  • %PROGRAMFILES%SmileFilesSmileFiles.exe [Detected as GAV: SmileFiles.A (Adware)]
  • %PROGRAMFILES%SmileFilesUpdaterSmileFilesUpdater.exe [Detected as GAV: SmileFiles.A (Adware)]

Within minutes of infection this Trojan was able to download and install multiple other malicious applications. Therefore, we urge our users to always be vigilant and cautious with any unsolicited email, to avoid clicking on unknown URLs, providing any personal information and installing unfamiliar applications specially if you are not certain of the source.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures:

  • GAV: VMProtBad.A_6 (Trojan}
  • GAV: DownloadMR.A_20 (Trojan)
  • GAV: Badur.FDSP (Trojan)
  • GAV: Tuto4PC.A_7 (Adware)
  • GAV: Swiftbrowse.A_3 (Adware)
  • GAV: MyPcBackup.A_2 (Adware)
  • GAV: MyPcBackup.A_3 (Adware)
  • GAV: DigiPlug.A_2 (Adware)
  • GAV: MultiPlug.H_20 (Adware)
  • GAV: SmileFiles.A (Adware)
  • SPY: OptimizerPro.A (
  • SPY: OfferInstaller.A (Adware)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.