American Arlines Ticket Spam - XP Home Security 2012

December 22, 2011

The Sonicwall UTM research team discovered a new spam campaign spreading a well known FakeAV: XP Home Security 2012.

The Trojan spreads through email and arrives as a zipped email attachment purporting to be from American Airlines:

The Trojan uses the following icon in an attempt to masquerade as a harmless PDF file:

The Trojan performs the following DNS queries:

  • www.mortg{removed}.tv
  • refunados{removed}.ru
  • www.tria{removed}.org

The Trojan spawns and injects code into svchost.exe causing it to make the following HTTP GET request from a compromised remote webserver:

The Trojan downloads 1.exe, renames it to gio.exe and executes it. It uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:Documents and Settings{USER}Local SettingsApplication Datagio.exe [Detected as GAV: FakeAv.JICD (Trojan)]
  • C:Documents and Settings{USER}Application Datacsrss.exe [Detected as GAV: Bredo.T (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Data708j72l30qfte5ro4u62483b417elw [Detected as GAV: FakeAvCn.C (Trojan)]

The Trojan adds the following keys to the Windows registry:

  • HKEY_CLASSES_ROOTJ2shellopencommand "C:Documents and Settings{USER}Local SettingsApplication Datagio.exe" -a "%1" %*
  • HKEY_CLASSES_ROOT.exeshellopencommand "C:Documents and Settings{USER}Local SettingsApplication Datagio.exe" -a "%1" %*
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun "WinRAR SFX" "C:Documents and Settings{USER}Application Datacsrss.exe"
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun "bieovju rundll32 C:DOCUME~1{USER}APPLIC~1MICROS~1Protectyxikrlc.n, dquc"

The Trojan deletes the following keys from the Windows registry to disable automatic updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv

The Trojan runs gio.exe using the following command line:

      C:Documents and Settings{USER}Local SettingsApplication Datagio.exe" -dtm -a

The Trojan pops up the following FakeAV windows in an attempt to fool the user into buying the software:

The Trojan blocks certain applications from running such as Task Manager, and Internet Explorer:

The Trojan was observed opening the following files and directories:

      C:Program FilesCommon FilesIpswitchWS_FTP*.*0x00
      C:Documents and Settings{USER}Application DataIpswitchWS_FTPSites*.*
      C:Documents and SettingsAll UsersApplication DataFlashFXP3Sites.dat
      C:Documents and Settings{USER}Application DataFileZillasitemanager.xml
      C:Documents and Settings{USER}Application DataFileZillarecentservers.xml

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Bredo.T (Trojan)
  • GAV: FakeAv.JICD (Trojan)
  • GAV: FakeAvCn.C (Trojan)