Fake Order - Murlo.CBA Trojan
SonicWALL UTM Research team observed a new Trojan being spammed via Fake order spam campaign starting September 19, 2009. The email has a zip archived attachment which contains the new Murlo Trojan variant.
SonicWALL has received more than 100,000 e-mail copies of this malware so far. The e-mail looks like:
Attachment: nz.zip (contains nz.exe)
Subject: Thank you for setting the order No.475456
Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.
The e-mail message looks like below:
The executable file inside the zip attachment is packed with PEPACK v1.0 and it looks like:
The Trojan when executed performs following host level activity:
- Connects and download malicious executable from:
- Deletes the original file and drops following files:
- c:1.exe [Detected as GAV: Kryptik.AKT (Trojan)]
- (Program Files)AntivirusPro_2010AntivirusPro_2010.exe [Detected as GAV: FraudPack.TUH (Trojan)]
- (System)braviax.exe [Detected as GAV: FraudPack.FOI (Trojan)]
- Creates following registry entries to ensure that the malware runs upon system startup:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunAntivirus Pro 2010 = ""(ProgramFiles)AntivirusPro_2010AntivirusPro_2010.exe" /hide"
- HKCUSoftwareMicrosoftWindowsCurrentVersionRunbraviax = "%System%braviax.exe"
The Trojan is also known as Trojan.Downloader.JMJA [BitDefender], Trojan-Downloader.Murlo [Ikarus], and TR/Dldr.Murlo.cba [AntiVir].
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Murlo.CBA (Trojan) signature.[11,031,744 hits recorded starting September 19, 2009].