September 17, 2008

SonicWALL UTM Research team observed a new spam campaign starting on Wednesday, Sep 17 at 00:41:58 PST, which uses fake legal paperwork as social engineering.

SonicWALL has received 450 e-mail copies of this malware so far.

Attachment: (contains file contract.doc.exe)

The email contents is
Dear customers,
We have prepared a contract and added the paragraphs that
you wanted to see in it.
Our lawyers made alterations on the last page.
If you agree with all the provisions we are ready to
make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.

If necessary, we can send it by fax.
Looking forward to your decision.

The subjects used by this Trojan are

  • Contract of order fulfillment
  • Contract of retirement
  • Contract of settlements
  • Loan Contract
  • Open an account
  • Permit for retirement
  • Record in debit of account
  • Rent contract
  • Your new labour contract

When run it copies itself to C:Program FilesMicrosoft Commonwuauclt.exe, A:system.exe, B:system.exe

|--> http://www.econoco**.com/images/lspr.exe
|--> http://www.econoco**.com/images/rep.exe

Trojan then changes the Registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe "" = C:Program FilesMicrosoft Commonwuauclt.exe

The Trojan is also known as Trojan.Win32.Agent.adyf (Kaspersky), TR/Dldr.Agent.RCE (Antivir) and Win32/AutoRun.ZV worm (Eset). It has a file size of 66,560 bytes.

SonicWALL has released a signature to protect against this threat: GAV: Agent.ADYF (Trojan)