Rejected Federal Tax payment spam campaign

November 10, 2011

SonicWALL UTM Research team observed a new spam campaign pretending to be arriving from IRS information center. It informs the user about a rejected Federal Tax payment and asks them to review the attached PDF report file for more information. The attached file is a malicious executable Trojan masquerading as a PDF file.

A sample e-mail message looks like:


The attached report file looks like:


The file if executed will perform following activity:

  • Creates a process svchost.exe and injects code into it.
  • Connects to public Google DNS Server to check for Internet connectivity and sends DNS queries to it for a list of predetermined remote servers:

  • Reports the infected machine's information to one of the above mentioned servers via POST request:


    The decrypted version of the data being sent looks like "id:8(REMOVED)|bid:X|bv:XXX|sv:XXXX|la:X"

  • It further attempts to download malicious executable files from a remote server in Latvia:
    • 91.22(REMOVED).29/step.exe [Detected as GAV: Pakes.II_2 (Trojan)]
    • 91.22(REMOVED).29/spm.exe [Detected as GAV: Festi.C_3 (Trojan)]
  • Drops following files:
    • (All Users Temp)5328ffb60049acd7.exe [Copy of itself detected as GAV: Pakes.QUJ (Trojan)]
    • (User Temp)uhbgmrxgvk.bat [Batch file to remove previous version]
  • Deletes the original copy of the file.

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

  • GAV: Pakes.QUJ (Trojan)
  • GAV: Festi.C_3 (Trojan)
  • GAV: Pakes.II_2 (Trojan)