McDonald's Free Dinner e-mail Leads to FakeAV

June 23, 2011

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from McDonalds Restaurants being spammed in the wild. This campaign includes subject about "McDonalds Free Dinner".

The sample e-mail format of the spam campaign includes the following:

Subject:

  • Come to us at our holiday of healthy and free food
  • Dont miss The Free Five-Course Dinner Day
  • Find the invitation to Free Day in the letter
  • Get a ticket for free helpings
  • Large free dish of five courses
  • Tasty and free food for each visitor
  • The Free Day holiday is here
  • The Free Dinner Day
  • The letter contains the ticket for free helpings
  • We are having the holiday of free food
  • We gift you a ticket to the day of free dishes

Attachment: Invitation_Card{Random Numbers}.zip (22.9KB)

screenshot

The executable file masquerades as a Microsoft Word document by using an icon seen below:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Copies itself as %Startup%/dxdiag.exe [ detected as GAV: Obfuscator.PO_2 (Virus) ]
    Sets the time stamp as the same with ntdll.dll to hide itself from malware tools that checks for newly created files.
  • Deletes the original executable file

Downloads other malware:

  • Application Datagog.exe - [ detected as GAV: FakeAV.LSX (Trojan) ]

Dropped files:

  • Application Datacompletescan
  • Application Datact_start
  • Application Data1.gif
  • Application Datainstall
  • Application Datastart

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Data:"Application Datagog.exe"

Network Activity:

This malware steals system information and sends them to remote server every 96 seconds.

    User-Agent: Our_Agent

  • http://diamond{REMOVED}e2011.ru//forum/task.php?bid={VolumeInfo}&os={OS Version}&uptime=0&rnd={random number}

Once the remote server receives the system information, it will acknowledge it and reply with commands as follows:

  • download - download other malware
  • update - update itself

FakeAV

    This malware also downloads and installs FakeAV application. Once installed it will show a Fake Microsoft Security Essentials Alert as seen below:

    screenshot

    After Clicking the "Scan Online" Button, it will show this message and prompts for rebooting the system:

    screenshot

    After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.

    screenshot

    screenshot

    screenshot

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Obfuscator.PO_2
  • GAV: FakeAV.LSX (Trojan)
  • GAV: Zurgop.Z#email (Trojan)

screenshot