SonicWALL UTM Research team received reports of a new Trojan spreading in the wild. Once on a system it appears to post potential sensitive information to a remote web server. In the background it installs a copy of the "Super Rabbit" system configuration software. The software is installed without user interaction or consent.
The Trojan makes DNS queries to the following hosts:
The Trojan makes a request to download a silent installer for the software "Super Rabbit":
The Trojan and silent installer make the following modifications to the system:
The Trojan sends potential sensitive information to a remote site using the HTTP POST command:
SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:
GAV: Orz.A (Trojan)