Drive-by download leads to Backdoor Trojan

May 24, 2011

SonicWALL UTM Research team discovered instances of malicious java applets being used to perform drive-by download of malware. The malware is downloaded and excuted without any user interaction once the applet executes. The downloaded malware was found reporting system information back to a remote server and it also creates a backdoor on the victim's machine. When a user visits a malicious domain hosting the applet it runs as seen below:


The applet is unsigned and prompts for the user's permission to run. If the user proceeds and runs the applet it downloads a file silently and executes it. The downloaded executable performs the following activities:

  • It creates the following copies of the same file:
    • %appdata%DocumentWriter.exe [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%privzate.exe [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%6858.jpg [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%51156.jpg [Detected as GAV: VB.SGQ (Trojan)]

  • It creates the following registry entry to ensure that it runs on every system reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:"%appdata%DocumentWriter.exe"
  • It determines the public IP address by performing the following HTTP request to
    • GET /v2/ip_query_country.php?key=1d1bb511aed00402daada8d8706f74b477e3172d0ca020deab3b43c16441a73d&timezone=off

  • It creates a backdoor listening on TCP port 1232
  • It sends information back to a remote server such as version, infection date, IP address, OS information and screenshots
  • screenshot

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

GAV: ClsDLod.A ( Trojan )
GAV: ClsDLod.A_2 ( Trojan )
GAV: VB.SGQ (Trojan)