FakeAV Downloader - CV spam

September 27, 2010

SonicWALL UTM Research team observed a new wave of Resume spam campaign starting at noon today. The e-mails contain a zip archive attached which contains the malicious executable file inside it. This is different from the FakeAV html campaign that we reported last week.

Resume spam campaign involves e-mails pretending to contain CV document attached with the e-mail. This spam theme was last used by Bredolab authors back in July, 2010. SonicWALL UTM Research team has received more than 20,000 e-mail copies from this spam campaign so far and it is still going on.

Some of the E-mail subjects we have seen in this campaign so far:

  • The resume document is attached.
  • I have attached the resume.
  • Please find attached.
  • Enclosed please find.
  • Here's that file that you wanted.
  • Enclosed is my CV for your consideration. Thanks

Sample e-mail messages looks like:

screenshot

The zip archive attachment contains a malicious executable file - cv.exe which is a new variant of FakeAV Downloader Trojan. Upon execution, it leads to the download and installation of FakeAV malware[Antivirus Safebrowser] on the victim machine and asks for payment.

screenshot

It attempts to connect to multiple malicious domains to download malware executables and related configuration files:

  • (REMOVED)lups.com/a/ad
  • (REMOVED)hamed.org/any3/5-direct.ex
  • (REMOVED)ndconvince.org/avt/avt_db
  • (REMOVED)ort.com/customers/getbuild.php

The following files are dropped onto the victim machine:

  • (User Favorites)_favdata.dat
  • (User Temp)asd94.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)asd95.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)asd96.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)asd97.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)eapp32hst.dll [Detected as GAV: ZPACK.GEN_187 (Trojan)]
  • (User Temp)wscsvc32.exe [Detected as GAV: Conficker.gen (Worm)]
  • (Program FilesAnViavt.db
  • (Program FilesAnViavt.exe [Detected as GAV: Kryptik.AT_7 (Trojan)]
  • (User Temp)dfrgsnapnt.exe [Detected as GAV: FraudLoad.XFUP (Trojan)]

If the user attempts to open any other legitimate executable file, the FakeAV malware will block the application launch and display a fake infection message as seen below for Calculator program:

screenshot

As seen before in other FakeAV malware analysis, it subsequently starts scanning the system files and displays more fake infections prompting the user to purchase the application in order to clean up the infections.

screenshot

SonicWALL Gateway AntiVirus provides protection against this FakeAV Downloader Trojan by GAV: Kryptik.AJD (Trojan) signature.

screenshot