New statement spam
SonicWALL UTM Research team observed a new wave of the on-going Statement document spam campaign starting today Friday, October 17, 2008. The email has a zip archived attachment which contains the new Trojan variant.
The e-mail contains following attachment:
Attachment: Statement_01-10.zip (contains Statement_01-10.doc [WHITESPACES] .exe - UPX packed)
The Trojan when executed drops following malicious files in the system folder:
- rs32net.exe (copy of itself)
It also creates the following Registry keys to ensure that rs32net.exe gets executed automatically on system startup:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunrs32net = "(SYSTEM FOLDER PATH)rs32net.exe"
It then starts the rs32net.exe process and deletes the original copy of the file from the folder where it was executed.
The Trojan tries to send a HTTP GET request
- GET /40E80008F04FCE3BCEE24D126C000001DD6600000002760000015EEB000530829EA5AC HTTP/1.0
to following IP addresses:
The Trojan has a very low detection at the time of writing this report.
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AGWR (Trojan) signature.