Postcard spam - New FakeAV Trojan

October 16, 2009

SonicWALL UTM Research team observed a new wave of the Postcard spam campaign during last three days.

The email pretends to arrive from and contains an e-card as an attachment. The e-mail attachment is a ZIP archive that contains the new FakeAV Trojan variant.

The e-mail looks like:

Subject: You've received a postcard

Attachment: (contains ecard.exe)

Email Body:
Good day.

Your family member has sent you an ecard from

Send free ecards from with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days.

If you wish to keep the ecard longer, you may save it on your computer or take a print.

To view your ecard, open zip attached file.

The e-mail message looks like below:


The e-mail body remained the same but the attachment payload kept changing every few hours in last 3 days. SonicWALL has received more than 50,000 copies of this spam e-mails till now which had more than five distinct attachment payloads.

The malicious executable inside the attachment looks like:


If the user downloads and executes the attached ecard, it performs following activities:

  • It tries to connect to a arbitrary domain from a predetermined list to download a new Rogue Antivirus application. The run-time memory dump image of the malware shows the URLs that it attempts to connect via HTTP:


  • Creates following files:
    • (Program Files)AntivirusPro_2010AntivirusPro_2010.exe
    • [Detected as GAV: Vilsel.IJR (Trojan)]

    • (Program Files)AntivirusPro_2010AVEngn.dll
    • (AppData)seres.exe
    • (AppData)svcst.exe
  • Ensures that malicious executables run every time Windows restart by making following Registry modifications:
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunAntivirus Pro 2010 = ""(Program Files)AntivirusPro_2010AntivirusPro_2010.exe" /hide"
    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunmserv = "(AppData)seres.exe"
    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunsvchost = "(AppData)svcst.exe"
  • It opens up a Windows notification indicating that Windows has detected spyware infection as seen below:


  • If the user clicks on the notification window, it executes AntivirusPro_2010.exe that it downloaded from remote site:


The Trojan is also known as W32/FakeRean.A [F-Prot], Rogue:W32/Agent.MCF [F-Secure], and Generic FakeAlert!cr [McAfee].

SonicWALL Gateway AntiVirus provided proactive protection against multiple variants of this malware via GAV: Kryptik.ASA_2 (Trojan) signature [Total hits recorded in last 3 days:6,937,170 ].