Fake McAfee E-mail protection tool - Banker Trojan

April 15, 2010

SonicWALL UTM Research team discovered a new Banker Trojan spam theme involving fake McAfee E-mail Protection alerts. The e-mail for the instance we saw is in Portuguese and it warns the user about a computer virus infection.

The e-mail pretends to arrive from McAfee E-Mail Protection and informs the user about his computer being infected with a virus - Worm/Delf.JBH that is sending out malicious emails to all the contacts found on the computer. It further warns the user that the e-mail account will be permanently blocked if the virus is not removed and offers the user to download a fake cleanup tool from McAfee E-mail protection via a URL in the email. If the user clicks on the URL it leads to the download of the new Banker Trojan variant.

The e-mail message looks like:

screenshot

screenshot

screenshot

The downloaded fake McAfee E-mail protection cleanup tool looks like:

screenshot

If the user runs the malicious executable file, it performs the following activities:

  • Downloads and executes two malicious executables files which are also Information stealing Trojan variants:
    • www.te(REMOVED)di.com/union/u6.jpg => C:sshs.exe [Detected as GAV: Delf_150 (Trojan)]
    • www.te(REMOVED)di.com/union/u7.jpg => C:ksso.exe [Detected as GAV: Hupigon_804 (Trojan)]

    Both the files are compressed with PECompact v2 packer. The site hosting these files appears to be compromised as shown below:

    screenshot

  • The above executable files harvests e-mail addresses and logs other sensitive information on the victim machine and sends the stolen data via POST requests to a malicious domain.

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Banker.BXQ_3 (Trojan) signature.