Fake Conficker Removal Tool - Agent.MSU

June 10, 2009

SonicWALL UTM Research team observed a new Trojan Downloader spammed in the wild starting June 9, 2009 pretending to be from Microsoft Security Department.

The email pretends to contain important Windows XP/Vista security update related to the Conficker worm and also contains a link to download a removal tool. The download link points to the new Trojan Downloader. The link leads to download of the malicious executable file from a domain in Russia:

  • windowsupdate.microsoft.com.(Removed).ru/remtool_conf.exe

The downloaded file has zero AV detection at the time of writing this alert and it looks like this:
screenshot

When executed the Trojan performs following activities:

  • Stops the Windows security center service (Service Name: wscsvc)
  • Creates a new directory (Windows Temporary folder)nsf3.tmp and drops webexplorer.exe, nsExec.dll, and NSISdl.dll files in it.
  • Opens up a new window displaying Symantec Trojan.Brisv.A Removal Tool 2.1.0.7 EULA:

    • screenshot

  • If the user clicks accept button and starts the tool it will run for a while and display a "fixbrisa" message box at the end:

    • screenshot

  • It attempts to connect to makemymoneys.com domain and downloads an Injector Trojan by sending HTTP GET request:
    • GET /install/winupdate.exe

      • - Detected as GAV: Injector.PI (Trojan)

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.MSU (Trojan) signature.

Screenshot of the original e-mail message is shown below:

screenshot