Merry Christmas Spam - Banker Trojan

December 2, 2008

SonicWALL UTM Research team observed a new spam campaign starting today Tuesday, December 02, 2008 which involves a fake e-mail pretending to be arriving from either Coca-Cola, McDonalds, or Hallmark. The email has a zip archived attachment which contains the new Banker Trojan.

The e-mail looks like following:

Attachment:

  • postcard.zip (contains postcard.doc .scr)
  • promotion.zip (contains coupon.exe)
  • coupon.zip (contains coupon.exe)

Subject:

  • You've received A Hallmark E-Card!
  • Coca Cola is proud to accounce our new Christmas Promotion.
  • Mcdonalds wishes you Merry Christmas!

Email Body:
------------------------
Dear Holder

Hello!

You have recieved a Hallmark E-Card from your friend. To see it, check the attachment.
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.

Hope to see you soon, Your friends at Hallmark

Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy.
Hallmark.com | Privacy & Security | Customer Service | Store Locator
------------------------

The content of the Coca-Cola and McDonald's spam email is fetched from Coca-Cola and McDonald's official websites.

The Trojan when executed performs following host level activity:

  • Creates qnx.exe in the Windows System directory and runs it
  • Creates vxworks.exe in the Windows System directory and runs it
  • Deletes the original copy of the file

It creates the following Registry key:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWind River Systems = "[Windows System Dir]vxworks.exe"
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerWallpaper
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerWallpaperXMAS

vxworks.exe process listens on TCP ports 1056 and 1071 and also sends following GET request:

  • http://whatismyip.com/automation/n09230945.asp

The Trojan is also known as Trojan-Banker.Win32.Banker.abbi [Kaspersky], VirTool:Win32/CeeInject.gen!J [Microsoft], and TR/Dropper.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Banker.ABBI (Trojan) signature.