FakeXvid.A - Increase in drive-by infections

May 22, 2011

The SonicWALL UTM research team has seen a sudden increase in drive-by infection malware. Such infection takes place simply by visiting a website that uses a known browser exploit. Some of these websites are hosted on legitimate servers that have been compromised.

The Trojan is being actively spammed via e-mails containing malicious links:

The link in the email directs the user to a malicious website pretending to host a video that requires the XVID codec:


The website page contains an iframe HTML tag that causes the download of a malicious PDF file:

The PDF file employs a known (heap spray) exploit to run malicious code. The code decrypts and runs a script. This script downloads and runs setup.exe [Detected as Kryptik.NTI_3 (Trojan)]:

The webpage will also initiate the download of XvidSetup.exe [Detected as FakeXvid.A (Trojan)]:

The Trojan performs the following DNS queries:

  • smtp.mail.ru

The Trojan creates the following files on the filesystem:

  • C:Documents and Settings{USER}Local SettingsTempsetup.exe [Detected as GAV: Kryptik.NTI_3 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTemporary Internet FilesContent.IE5SL2VSXQV37dbbd[2].pdf [Detected as GAV: Pdfka.OSQ (Trojan)]

The Trojan creates the following key in the Windows registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun AutoStart "C:DOCUME~1{USER}LOCALS~1Tempsetup.exe"

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: FakeXvid.A (Trojan)
  • GAV: Kryptik.NTI_3 (Trojan)
  • GAV: Pdfka.OSQ (Trojan)