Important Document spam
SonicWALL UTM Research team observed a new spam campaign starting on Monday, September 22, 2008 which involves a fake e-mail claiming to have an important document.
SonicWALL has received 4,500 e-mail copies of this malware so far. The e-mail looks like following:
Attachment: doc.zip (contains doc.exe) -> password protected
Subject: Important document for X (where X = random alphanumeric string)
Hello X, the document is attached. Pass 123.
The email attachment contains zipped malware executable which is a new Downloader Trojan. The Trojan when executed drops the following files on the system:
It also tries to download other malware by sending following GET requests:
The Trojan is also known as TrojanDownloader:Win32/Chepvil.H [Microsoft], W32/Trojan3.AN [F-Prot], and TR/Dropper.Gen [AntiVir]
SonicWALL provides protection against password protected zip file via GAV: Password-protected ZIP file signature. It is highly recommend to turn on "Restrict Transfer of password-protected ZIP files" option in Gateway Anti-Virus settings to turn the signature on.
SonicWALL has also released a signature to detect the new Downloader Trojan:Agent.AHKV (Trojan)