Obama Sex Trojan

September 12, 2008

SonicWALL UTM Research team observed a new spam campaign which uses the US presidential election as a social engineering mechanism to install a Trojan.

The email appears to be from obamasex@obama.com with the subject "Barack Obama sex story with girl".

The email contents is
------------------
Sensation!!! United States Senator for Illinois
Barack Obama in 2007 was travel to Ukraine and
have sex action with many ukrainian girls!
You may view this private porno in a flash video.
Download and view now. Please send this
news to your friends!
Obama it's not right choice!!!
---------------

link goes to a Chinese domain site hosted in Thailand
hxxp://***promo.cn/sensations/obama_b***job.exe

If the link is clicked a video plays for 14 seconds, and in the background, information-stealing Trojan is installed on the victim's computer.

The Trojan is also known as Trojan.Win32.Agent.acyq (Kaspersky), PWS-Banker.cs trojan (McAfee) and Mal/Hupig-D (Sophos). It installs itself in C:Documents and Settings[UserName]Local SettingsTempsystem32_.exe and installs 809.exe in the user's Temporary Internet Files folder.

Also a Browser Helper Object (BHO) named Siemens32.dll is registered. It posts stolen data to a compromised Finnish travel site,
hxxp://*****-hotel.com/berloga/datas.php

SonicWALL has released a GAV signature to protect against this threat: GAV: Agent.ACYQ (Trojan)

Here is a screenshot of the email:

email-screenshot