SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from McDonalds Restaurants being spammed in the wild. This campaign includes subject about “McDonalds Free Dinner”.

The sample e-mail format of the spam campaign includes the following:

Subject:

• Come to us at our holiday of healthy and free food
• Dont miss The Free Five-Course Dinner Day
• Find the invitation to Free Day in the letter
• Get a ticket for free helpings
• Large free dish of five courses
• Tasty and free food for each visitor
• The Free Day holiday is here
• The Free Dinner Day
• The letter contains the ticket for free helpings
• We are having the holiday of free food
• We gift you a ticket to the day of free dishes

Attachment: Invitation_Card{Random Numbers}.zip (22.9KB)

The executable file masquerades as a Microsoft Word document by using an icon seen below:

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

• Creates the process SVCHOST.EXE and injects its code.
• Copies itself as %Startup%/dxdiag.exe [ detected as GAV: Obfuscator.PO_2 (Virus) ] Sets the time stamp as the same with ntdll.dll to hide itself from malware tools that checks for newly created files.
• Deletes the original executable file

Downloads other malware:

• Application Datagog.exe – [ detected as GAV: FakeAV.LSX (Trojan) ]

Dropped files:

• Application Datacompletescan
• Application Datact_start
• Application Data1.gif
• Application Datainstall
• Application Datastart

Added Registry:

• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
  Value: Shell
  Data:”Application Datagog.exe”

Network Activity:

This malware steals system information and sends them to remote server every 96 seconds.

User-Agent: Our_Agent
• http://diamond{REMOVED}e2011.ru//forum/task.php?bid={VolumeInfo}&os={OS Version}&uptime=0&rnd={random number}

Once the remote server receives the system information, it will acknowledge it and reply with commands as follows:

• download – download other malware
• update – update itself

FakeAV

This malware also downloads and installs FakeAV application. Once installed it will show a Fake Microsoft Security Essentials Alert as seen below:



After Clicking the “Scan Online” Button, it will show this message and prompts for rebooting the system:



After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Obfuscator.PO_2
• GAV: FakeAV.LSX (Trojan)
• GAV: Zurgop.Z#email (Trojan)

SonicWALL UTM Research team has observed a rise in fake desktop utility malware in the wild. A new fake windows recovery malware is making the rounds through drive-by downloads. We have observed other variants before but this variant employs some new tactics such as disabling the task manager, hiding user programs and files by modifying file attributes, hiding start menu items and disabling multiple operating system features.

As seen in the past with other fake utilities, it attempts to scare the user with fake errors and tries to convince the user to buy the product in order to fix those errors. It uses a fake icon and file name to masquerade as a legitimate file as seen below:

It performs the following activities:

• It creates a copy of itself in the following location
  • AppData%uaaiHfWFhq.exe
• It reports new infection to a remote server
  • GET /404.php?type=stats&affid=508&subid=new02&awok HTTP/1.1
• It creates the following registry entry to ensure infection on reboot
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunuaaiHfWFhq:”%AppData%uaaiHfWFhq.exe”
• It executes the following commands in the background to modify the file attributes to be hidden
  • attrib +h “C:DocumentsandSettingsAllUsersStartMenu*.*”
  • attrib +h “C:DocumentsandSettingsAdministrator*.*”
  • attrib +h “C:*.*”
• It moves contents of start menu from “All UsersStart MenuPrograms” to “%Temp%smtmp1”
• It modifies the following registry values to disable various features
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
    – Disables the task manager
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden
    – Disables viewing of protected operating system files
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedShowSuperHidden
    – Disables viewing of hidden files
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop
    – Hides desktop icons
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerDownloadCheckExeSignatures
    – Disables warning for downloaded software from untrusted publishers
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachmentsSaveZoneInformation
    – Disables preservation of zone information in downloaded and attached files

Here are some screenshots of the fake utility in action:

It generates fake warnings:

It simulates a scan and displays fake error messages:

If the user proceeds to buy the advanced module it displays the following screen asking for credit card and personal information:

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

• GAV: FakeSysdef (Trojan)
• GAV: FakeSysdef.A (Trojan)
• GAV: Fakesysdef.BDA (Trojan)
• GAV: Fakesysdef.BDB (Trojan)
• GAV: Fakesysdef.BDC (Trojan)
• GAV: Fakesysdef.BDD_2 (Trojan)
• GAV: Fakesysdef.BDE (Trojan)
• GAV: Dapato.AR (Trojan)
• GAV: Dapato.D (Trojan)

SonicWALL UTM found reports of a new Facebook malware targeting Mac OS X and Windows users. The malware is actively spreading via a fake viral video utilizing through Facebook at the time of writing this alert.

A few weeks back we saw the first Rogue AV malware targeting Mac & Windows users via poisoned Google search results. This is the first instance of Facebook clickjacking worm targeting Mac and Windows users alike via a fake controversial video claiming to be of IMF boss Dominique Strauss-Kahn. The video is in reference to the news story that made headlines a few weeks back. This is a classic example of malware authors utilizing social engineering techniques to target large number of users via social media.

If a Mac user clicks on the video, it will redirect the user to a Fake AV landing page that will run an animation showing Apple security center malware scanning and eventually fake infections. It then prompts the user to download and install Rogue AV in order to clean up the infections as seen below:

Besides displaying Fake infection alerts, it also randomly opens pornographic websites in the browser from a predetermined list. This Rogue AV is similar in functionality to MACDefender except that it does not prompt the user for an administrator password in order to install. We were also able to confirm that this new Rogue AV variant evades the latest Apple security update .

If a Windows user clicks on the video, it will redirect the user to a fake YouTube look-alike site and prompts the user with a fake message to update Adobe Flash player in order to view the video. The user will download and install a Trojan executable if he runs the Flash update from that site as seen below:

The dropped malware files for both Windows and Mac have a very low AV detection at the time of writing this alert.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: MacDefender.A (Trojan)
• GAV: MacDefender.FB (Trojan)
• GAV: MalAgent.E_8 (Trojan)