Michael Jackson Video Trojan

June 26, 2009

SonicWALL UTM Research team observed a new Trojan Downloader - Adload.LI (Trojan) being spammed in the wild starting June 26, 2009. The spammed emails pretend to contain links to unseen videos and pictures of late Michael Jackson.

The link in the spammed e-mail points to a well-known radio broadcasting station website hosted in Australia. At the time of writing this alert, the link was still alive fetching the malicious file:

  • www.beatzradio(REMOVED).Jackson_videos_fotos.php

The file gets downloaded as Michael.Jackson.videos.scr and has an icon disguised as a MPEG video file as seen below:


Screenshot of a download prompt from the well-known website is shown below:


When executed the Trojan Downloader performs following activity:

  • Creates a Mutex Object _!SHMSFTHISTORY!_ to marks its presence in the system
  • Opens up a legitimate website showing a news article related to Michael Jackson in Internet Explorer as seen below:
  • screenshot

  • Attempts to download malicious files from anella2009.dominiotemporario.com domain:
    • GET /ba/foto.dll - saved as (Windows)Dynamic.dll (GAV: Banker.N (Trojan))
    • GET /ba/michael.gif - saved as (System)fotos.exe (GAV: Banspy.F (Trojan))
    • GET /ba/kproces.gif - saved as (System)kproces.exe (GAV: Banbra.NOR (Trojan))
  • Runs the files downloaded above.

This Trojan is also known as TrojanDownloader:Win32/VB.LI [Microsoft] and Trojan-Downloader.Win32.Adload [Ikarus]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Adload.LI (Trojan) signature.