Important Document spam
SonicWALL UTM Research team observed a new spam campaign starting on Monday, September 22, 2008 which involves a fake e-mail claiming to have an important document.
SonicWALL has received 4,500 e-mail copies of this malware so far. The e-mail looks like following:
Attachment: doc.zip (contains doc.exe) -> password protected
Subject: Important document for X (where X = random alphanumeric string)
Email Body:
------------------------
Hello X, the document is attached. Pass 123.
------------------------
The email attachment contains zipped malware executable which is a new Downloader Trojan. The Trojan when executed drops the following files on the system:
- c:2.tmp
- c:3.tmp
- c:4.tmp
- c:5.tmp
- c:6.tmp
- c:7.tmp
It also tries to download other malware by sending following GET requests:
- hxxp://79.135.XX.18/cgi-bin/index.cgi?user5
- hxxp://79.135.XX.18/scan.exe
- hxxp://79.135.XX.18/s.exe
- hxxp://79.135.XX.18/l.exe
- hxxp://79.135.XX.18/ftp.exe
The Trojan is also known as TrojanDownloader:Win32/Chepvil.H [Microsoft], W32/Trojan3.AN [F-Prot], and TR/Dropper.Gen [AntiVir]
SonicWALL provides protection against password protected zip file via GAV: Password-protected ZIP file signature. It is highly recommend to turn on "Restrict Transfer of password-protected ZIP files" option in Gateway Anti-Virus settings to turn the signature on.
SonicWALL has also released a signature to detect the new Downloader Trojan:Agent.AHKV (Trojan)