Important Document spam

September 29, 2008

SonicWALL UTM Research team observed a new spam campaign starting on Monday, September 22, 2008 which involves a fake e-mail claiming to have an important document.

SonicWALL has received 4,500 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: (contains doc.exe) -> password protected

Subject: Important document for X (where X = random alphanumeric string)

Email Body:
Hello X, the document is attached. Pass 123.

The email attachment contains zipped malware executable which is a new Downloader Trojan. The Trojan when executed drops the following files on the system:

  • c:2.tmp
  • c:3.tmp
  • c:4.tmp
  • c:5.tmp
  • c:6.tmp
  • c:7.tmp

It also tries to download other malware by sending following GET requests:

  • hxxp://79.135.XX.18/cgi-bin/index.cgi?user5
  • hxxp://79.135.XX.18/scan.exe
  • hxxp://79.135.XX.18/s.exe
  • hxxp://79.135.XX.18/l.exe
  • hxxp://79.135.XX.18/ftp.exe

The Trojan is also known as TrojanDownloader:Win32/Chepvil.H [Microsoft], W32/Trojan3.AN [F-Prot], and TR/Dropper.Gen [AntiVir]

SonicWALL provides protection against password protected zip file via GAV: Password-protected ZIP file signature. It is highly recommend to turn on "Restrict Transfer of password-protected ZIP files" option in Gateway Anti-Virus settings to turn the signature on.

SonicWALL has also released a signature to detect the new Downloader Trojan:Agent.AHKV (Trojan)