Postcard spam - New FakeAV Trojan
SonicWALL UTM Research team observed a new wave of the Postcard spam campaign during last three days.
The email pretends to arrive from 123Greetings.com and contains an e-card as an attachment. The e-mail attachment is a ZIP archive that contains the new FakeAV Trojan variant.
The e-mail looks like:
Subject: You've received a postcard
Attachment: ecard.zip (contains ecard.exe)
Your family member has sent you an ecard from 123greetings.com.
Send free ecards from 123greetings.com with your choice of colors, words and music.
Your ecard will be available with us for the next 30 days.
If you wish to keep the ecard longer, you may save it on your computer or take a print.
To view your ecard, open zip attached file.
The e-mail message looks like below:
The e-mail body remained the same but the attachment payload kept changing every few hours in last 3 days. SonicWALL has received more than 50,000 copies of this spam e-mails till now which had more than five distinct attachment payloads.
The malicious executable inside the attachment looks like:
If the user downloads and executes the attached ecard, it performs following activities:
- It tries to connect to a arbitrary domain from a predetermined list to download a new Rogue Antivirus application. The run-time memory dump image of the malware shows the URLs that it attempts to connect via HTTP:
- Creates following files:
- (Program Files)AntivirusPro_2010AntivirusPro_2010.exe
- (Program Files)AntivirusPro_2010AVEngn.dll
[Detected as GAV: Vilsel.IJR (Trojan)]
- Ensures that malicious executables run every time Windows restart by making following Registry modifications:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunAntivirus Pro 2010 = ""(Program Files)AntivirusPro_2010AntivirusPro_2010.exe" /hide"
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunmserv = "(AppData)seres.exe"
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunsvchost = "(AppData)svcst.exe"
- It opens up a Windows notification indicating that Windows has detected spyware infection as seen below:
- If the user clicks on the notification window, it executes AntivirusPro_2010.exe that it downloaded from remote site:
The Trojan is also known as W32/FakeRean.A [F-Prot], Rogue:W32/Agent.MCF [F-Secure], and Generic FakeAlert!cr [McAfee].
SonicWALL Gateway AntiVirus provided proactive protection against multiple variants of this malware via GAV: Kryptik.ASA_2 (Trojan) signature [Total hits recorded in last 3 days:6,937,170 ].