Virtumonde windshield malware
SonicWALL UTM Research team observed a new interesting social engineering trick to install malware: hackers are using fake parking violation warnings to trick motorists into visiting malware-infested websites.
A windshield flier was left in cars with a website address linked to a malicious file. The fliers said:
PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to http://horribleparkxxxx.com/
The website serves the malicious file to the user: http://horribleparkxxxx.com/PictureSearchToolbar.exe
This malware: PictureSearchToolbar.exe is detected by SonicWALL as GAV: AgentBypass_6 (Trojan).
It is a variant of Virtumonde / Vundo family of trojan horse that cause popups and advertises rogue antispyware programs. (aka Win32/Vundo.JI [Microsoft]). PictureSearchToolbar.exe is 56,832 bytes in size and when it runs it drops these files on the system:
- %Temp%awtrQGay.bat - 63 bytes
- %System%yayyXRKe.dll - 38,912 bytes
It injects yayyXRKe.dll in explorer.exe process.
It also creates the following registry entries:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionControl PanelSettings
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyyayyXRKe
- HKEY_LOCAL_MACHINESOFTWAREMicrosoft 0cd0861
It then attempts to download http://childxxxx.com/pas/apstpldr.dll.html?affid=177194&uid=&guid=16560F811C084DA3B8270F85F0661238 and save it as %System%awtrQGay.dll.
Downloaded malware: awtrQGay.dll is detected by SonicWALL as GAV: Monder_3 (Trojan), it is another variant of Virtumonde/Vundo trojan and attempts to install Fake Antivirus software from bestantispywaresecurityxxx.com
SonicWALL Gateway AntiVirus provides protection against this attack via GAV: Monder_3 (Trojan) and GAV: AgentBypass_6 (Trojan) signatures.
The following figures shows the recorded hits for GAV: Monder_3 (Trojan) signature.