Angelina Jolie video spam

October 7, 2008

SonicWALL UTM Research team observed a new wave of the on-going Angelina Jolie video spam campaign starting on Monday, October 6, 2008. The email has a zip archived attachment which contains the new Downloader Trojan variant.

SonicWALL has received more than 60,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: (contains video.exe - UPX packed)

Subject: Angelina Jolie Free Video

Email Body:
New sex scandal, Angelina Jolie porn watch in attached file

The Trojan when executed drops following malicious files in the system folder:

  • gzipmod.dll
  • vbagz.sys

It also creates the following Registry keys to ensure that gzipmod.dll is installed as a Winlogon notification package:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
  • HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
  • HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

The Trojan includes a backdoor component that listens on TCP port 6051 & 6052. It also tries to resolve the following domains and subsequently sends HTTP requests to them:


The Trojan is also known as Trojan.Spy.Goldun.NDU [BitDefender], Win32/Spy.Goldun.NDN trojan [ESET], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.XQL (Trojan) signature.