New Infostealer Trojan

March 16, 2009

SonicWALL UTM Research team observed a new spam campaign starting March 13, 2009 which involves a fake e-mail pretending to be arriving from Bank of America Support system.

The email informs user that the automatic installation for Bank of America certificate component failed and they need to follow the instructions to get it installed. The email contains a malicious link that leads to the download of the new Infostealer Trojan.

SonicWALL has seen more than 8000 e-mail copies for this malware since March 13, 2009 9 AM PST. The e-mail messages looks like below:

Email #1:


Email #2:


Email #3:


When the user clicks on the link in the e-mail, it opens up a fake Bank of America page that displays a demo video frame on how to install Digital Certificate. When the user tries to play the video, it prompts the user to download a Adobe flash player update which is the Trojan executable as seen below:



Upon execution, it performs following activities:

  • Drops following files on the target system:
    • (Windows_Dir)9129837.exe [Detected as GAV: Papras.JD (Trojan) ]
    • (Windows_Dir)new_drv.sys [Detected as GAV: Agent.EX (Trojan) ]
    • (Desktop)abcdefg.bat
  • Makes following modifications to Windows Registry:
    • Creates: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRuntool = "(Windows_Dir)9129837.exe"
    • Creates: HKLMSYSTEMControlSet001Servicesnew_drvImagePath: "(Windows_Dir)new_drv.sys"
  • Attempts to send GET requests containing victim machine information to following IP address:

The Trojan has very low detection at the time of writing this alert. It is also known as Infostealer.Snifula.B [Symantec] and Trojan-PSW:W32/Papras.DK [F-Secure].

SonicWALL Gateway Antivirus provides protection against this malware via GAV: Papras.JD (Trojan) signature.