FakeAV spam campaign continues with Smart Protection 2012

May 11, 2012

The Sonicwall UTM research team has observed a recent continued FakeAV spam campaign effort. The underlying malware used is similar to that of a previous sonicalert. The FakeAV being spammed is named Smart Protection 2012 and uses the usual scare tactics to encourage the user to buy a license to disinfect the system.

The Trojan spreads through an email purported to be from FedEX Services. It requests the user to open and run the attachment that contains the Trojan:

The Trojan uses the following icon to masquerade as a harmless PDF file:

Upon infection, the Trojan makes the following changes to the file system:

It copies itself to:

  • C:Documents and Settings{USER}Application Data81732E.exe [Detected as GAV: FakeAV.A_4 (Trojan)]

It creates the following files:

  • C:Documents and Settings{USER}Local Settingstemp311.tmp [Detected as GAV: Winwebsec.AQUR_4 (Trojan)]
  • C:Documents and Settings{USER}Local Settingstemp312.tmp [Detected as GAV: Winwebsec.AQUR_4 (Trojan)]

It adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun Intel "C:Documents and Settings{USER}Application Data81732E.exe"

The Trojan makes the following DNS requests:

  • www.google.com
  • tropic18854.ru
  • www.alphonsgunther.com
  • www.m-land.hu
  • www.mercierautos.ca

The Trojan downloads 1.exe from a remote webserver. It saves and runs it as 311.tmp and 312.tmp.

The Trojan was observed sending potentially sensitive encrypted system information to a remote webserver:

The Trojan Pops up the following windows upon infection:

The Trojan will display fake infection results:

If the "Remove all threats now" button is pressed it will display the following payment page:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: FakeAV.A_4 (Trojan)
  • GAV: Winwebsec.AQUR_4 (Trojan)