New statement spam

October 17, 2008

SonicWALL UTM Research team observed a new wave of the on-going Statement document spam campaign starting today Friday, October 17, 2008. The email has a zip archived attachment which contains the new Trojan variant.

The e-mail contains following attachment:

Attachment: Statement_01-10.zip (contains Statement_01-10.doc [WHITESPACES] .exe - UPX packed)

The Trojan when executed drops following malicious files in the system folder:

rs32net.exe (copy of itself)

It also creates the following Registry keys to ensure that rs32net.exe gets executed automatically on system startup:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunrs32net = "(SYSTEM FOLDER PATH)rs32net.exe"

It then starts the rs32net.exe process and deletes the original copy of the file from the folder where it was executed.

The Trojan tries to send a HTTP GET request

GET /40E80008F04FCE3BCEE24D126C000001DD6600000002760000015EEB000530829EA5AC HTTP/1.0

to following IP addresses:

208.66.194.240
216.195.55.50
216.195.56.22
209.66.122.238
91.203.92.7
208.66.195.15
208.66.195.71

The Trojan has a very low detection at the time of writing this report.

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AGWR (Trojan) signature.