US Postal Service Email Spam

November 8, 2011

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from US Postal Service spreading in the wild. It contains the new variant of Dofoil Trojan that SonicWALL blocks as GAV: Dofoil.L. This worm also downloads other malware components including trojans and FakeAV malware.

The sample e-mail format of the spam campaign includes the following:

Subject:

  • USPS Shipment Status IDxxxxxxxx
  • USPS service. Get your parcel IDxxxxxxxx
  • USPS Invoice copy IDxxxxxxxx
  • USPS Tracking number IDxxxxxxxx

Attachment: Post_Label#id{Random Numbers}.zip

The ZIP file attachment contains the malicious executable that disguises itself with the use of Microsoft Word icon as shown below:

    screenshot

Example of the email spam:

    screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Creates a copy of itself as %application data%csrss.exe and deletes the original executable file

Downloads other malware:

  • %windir%system32msrepl40A.exe - [ detected as GAV: Swisyn.JYB (Trojan) ]
  • %windir%system32wbcache8.exe - [ detected as GAV: Swisyn.JYB (Trojan) ]
  • sl20.exe - [ detected as GAV: EncPk.WX_3 (Trojan) ]
  • setup.exe - [ detected as GAV: Pirminay.ANW (Trojan) ]
  • 574-01.exe - [ detected as GAV: FakeAlert.BHX (Trojan) ]
  • sssss.exe - [ detected as GAV: Danmec.L (Trojan) ]

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwaregtwbetugt
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Epsilon Squared
    Data:"%Application Data%csrss.exe"
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: TKYDMYTE
    Data:"C:WINDOWSSystem32wbcache8.exe"
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Dbft
    Data:"C:WINDOWSSystem32msrepl40A.exe"

Network Activity:

HTTP GET Requests:

  • http://live{REMOVED}128.ru/m07/index.php
  • http://suteki{REMOVED}disc.jp/walking-diet/
  • http://image{REMOVED}ing.be/

DNS Requests:

  • http://live{REMOVED}128.ru

Hosts File Modification:

This malware added the following entries to block access to torrent websites.

  • 127.0.0.1 thepiratebay.org
  • 127.0.0.1 www.thepiratebay.org
  • 127.0.0.1 mininova.org
  • 127.0.0.1 www.mininova.org
  • 127.0.0.1 forum.mininova.org
  • 127.0.0.1 blog.mininova.org
  • 127.0.0.1 suprbay.org
  • 127.0.0.1 www.suprbay.org

FakeAV

After Installing the FakeAV application, it will show a Fake Windows Error Alert as seen below:

    screenshot

    screenshot

    screenshot

Clicking the "Scan and fix" Button will scan for errors and show a fake result:

    screenshot

Clicking the "Fix Errors" button prompts the user to buy the fake security software.

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dofoil.L#email (Trojan)
  • GAV: Dofoil.L (Trojan)
  • GAV: Swisyn.JYB (Trojan)
  • GAV: EncPk.WX_3 (Trojan)
  • GAV: FakeAlert.BHX (Trojan)
  • GAV: Danmec.L (Trojan)