Trojan uses an old compression format to thwart detection

October 3, 2014

The Dell SonicWALL Threats Research team has received reports of a Trojan posing as a fake word document. This Trojan may arrive in the form of an email with a seemingly harmeless compressed file as an attachment. This attachment comes in ARJ file format, which was a popular compression format back in the 90's, and uses .arj as the file extension. By using a really old compression format, this malicious program can thwart security programs attempting to scan, block or unpack it.

Figure 1: Sample email with the malicious attachment

Infection Cycle:

The Trojan uses the following naming conventions with a .scr or .exe file extension:

  • statmnt_yyyy-mm-dd_*random digits*.scr
  • infraction_yyyy-mm-dd_*random digits*.exe
  • order_yyyy-mm-dd_*random digits*.scr
  • runout_yyyy-mm-dd_*random digits*.scr
  • termnate_yyyy-mm-dd_*random digits*.exe
  • sale_yyyy-mm-dd_*random digits*.exe

Once executed it drops the following files:

  • "%TEMP%/sale__*random digits*.rtf (a harmless document file)

It then displays the contents of this document by executing the following commands:

  • PROGRAM FILESMICROSOFTOFFICE11WORDVIEW.EXE ["PROGRA~1MICROS~2OFFICE11WORDVIEW.EXE" /n /dde]

Figure 2: Example contents of the harmless word document

To verify internet connectivity, the Trojan performs the following DNS queries:

Figure 3: DNS query to microsoft.com

The Trojan then establishes a connection to different remote servers and sends out encrypted data:

Figure 4: Trojan connects to remote server sazlar.de
Trojan connects to remote servers: sazlar.de, telasramacrisna.br and powerc214.galaxy-gmbh-service.de

Figure 5: Example of encrypted data sent

Based on the following strings found in the main binary file, this Trojan is capable of downloading additional malware to the victim's machine:

Figure 6: Hardcoded strings found in the main executable
Trojan tries to download mine.tar.gz from: sazlar.de, telasramacrisna.br, pinballpassion.fr and necaps.org

These additional malware components were found to be variants of Zbot and are detected as:

  • Mine.exe [Detected as GAV: Zbot.AAD (Trojan)]

And in a true Zbot fashion, this new malware component was found to post encrypted data and send DNS queries to randomized domain names:

Figure 7: ZBot generated DNS queries to random domains

Overall, this Trojan is capable of downloading additional malware into the victim's machine. It can also send sensitive information out to a remote server.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Sinowal.CF (Trojan)

  • GAV: Sinowal.CF_2 (Trojan)

  • GAV: Sinowal.CF_3 (Trojan)

  • GAV: Vikaslop.A (Trojan)

  • GAV: Vikaslop.A_2 (Trojan)

  • GAV: Zbot.AAD (Trojan)