Obama Sex Trojan

September 12, 2008

SonicWALL UTM Research team observed a new spam campaign which uses the US presidential election as a social engineering mechanism to install a Trojan.

The email appears to be from obamasex@obama.com with the subject "Barack Obama sex story with girl".

The email contents is
Sensation!!! United States Senator for Illinois
Barack Obama in 2007 was travel to Ukraine and
have sex action with many ukrainian girls!
You may view this private porno in a flash video.
Download and view now. Please send this
news to your friends!
Obama it's not right choice!!!

link goes to a Chinese domain site hosted in Thailand

If the link is clicked a video plays for 14 seconds, and in the background, information-stealing Trojan is installed on the victim's computer.

The Trojan is also known as Trojan.Win32.Agent.acyq (Kaspersky), PWS-Banker.cs trojan (McAfee) and Mal/Hupig-D (Sophos). It installs itself in C:Documents and Settings[UserName]Local SettingsTempsystem32_.exe and installs 809.exe in the user's Temporary Internet Files folder.

Also a Browser Helper Object (BHO) named Siemens32.dll is registered. It posts stolen data to a compromised Finnish travel site,

SonicWALL has released a GAV signature to protect against this threat: GAV: Agent.ACYQ (Trojan)

Here is a screenshot of the email: