Merry Christmas Spam - Banker Trojan
SonicWALL UTM Research team observed a new spam campaign starting today Tuesday, December 02, 2008 which involves a fake e-mail pretending to be arriving from either Coca-Cola, McDonalds, or Hallmark. The email has a zip archived attachment which contains the new Banker Trojan.
The e-mail looks like following:
- postcard.zip (contains postcard.doc .scr)
- promotion.zip (contains coupon.exe)
- coupon.zip (contains coupon.exe)
- You've received A Hallmark E-Card!
- Coca Cola is proud to accounce our new Christmas Promotion.
- Mcdonalds wishes you Merry Christmas!
You have recieved a Hallmark E-Card from your friend. To see it, check the attachment.
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon, Your friends at Hallmark
Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy.
Hallmark.com | Privacy & Security | Customer Service | Store Locator
The content of the Coca-Cola and McDonald's spam email is fetched from Coca-Cola and McDonald's official websites.
The Trojan when executed performs following host level activity:
- Creates qnx.exe in the Windows System directory and runs it
- Creates vxworks.exe in the Windows System directory and runs it
- Deletes the original copy of the file
It creates the following Registry key:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWind River Systems = "[Windows System Dir]vxworks.exe"
vxworks.exe process listens on TCP ports 1056 and 1071 and also sends following GET request:
The Trojan is also known as Trojan-Banker.Win32.Banker.abbi [Kaspersky], VirTool:Win32/CeeInject.gen!J [Microsoft], and TR/Dropper.Gen [AntiVir]
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Banker.ABBI (Trojan) signature.