McDonald's Free Dinner e-mail Leads to FakeAV

June 23, 2011

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from McDonalds Restaurants being spammed in the wild. This campaign includes subject about "McDonalds Free Dinner".

The sample e-mail format of the spam campaign includes the following:


  • Come to us at our holiday of healthy and free food
  • Dont miss The Free Five-Course Dinner Day
  • Find the invitation to Free Day in the letter
  • Get a ticket for free helpings
  • Large free dish of five courses
  • Tasty and free food for each visitor
  • The Free Day holiday is here
  • The Free Dinner Day
  • The letter contains the ticket for free helpings
  • We are having the holiday of free food
  • We gift you a ticket to the day of free dishes

Attachment: Invitation_Card{Random Numbers}.zip (22.9KB)


The executable file masquerades as a Microsoft Word document by using an icon seen below:


If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Copies itself as %Startup%/dxdiag.exe [ detected as GAV: Obfuscator.PO_2 (Virus) ]
    Sets the time stamp as the same with ntdll.dll to hide itself from malware tools that checks for newly created files.
  • Deletes the original executable file

Downloads other malware:

  • Application Datagog.exe - [ detected as GAV: FakeAV.LSX (Trojan) ]

Dropped files:

  • Application Datacompletescan
  • Application Datact_start
  • Application Data1.gif
  • Application Datainstall
  • Application Datastart

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Data:"Application Datagog.exe"

Network Activity:

This malware steals system information and sends them to remote server every 96 seconds.

    User-Agent: Our_Agent

  • http://diamond{REMOVED}{VolumeInfo}&os={OS Version}&uptime=0&rnd={random number}

Once the remote server receives the system information, it will acknowledge it and reply with commands as follows:

  • download - download other malware
  • update - update itself


    This malware also downloads and installs FakeAV application. Once installed it will show a Fake Microsoft Security Essentials Alert as seen below:


    After Clicking the "Scan Online" Button, it will show this message and prompts for rebooting the system:


    After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.





SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Obfuscator.PO_2
  • GAV: FakeAV.LSX (Trojan)
  • GAV: Zurgop.Z#email (Trojan)