Virtumonde windshield malware

February 9, 2009

SonicWALL UTM Research team observed a new interesting social engineering trick to install malware: hackers are using fake parking violation warnings to trick motorists into visiting malware-infested websites.

A windshield flier was left in cars with a website address linked to a malicious file. The fliers said: 

  PARKING VIOLATION  This vehicle is in violation of  standard parking regulations.  To view pictures with information about  your parking preferences, go to  http://horribleparkxxxx.com/

The website serves the malicious file to the user: http://horribleparkxxxx.com/PictureSearchToolbar.exe

This malware: PictureSearchToolbar.exe is detected by SonicWALL as GAV: AgentBypass_6 (Trojan).

 

   screenshot

It is a variant of Virtumonde / Vundo family of trojan horse that cause popups and advertises rogue antispyware programs. (aka Win32/Vundo.JI [Microsoft]). PictureSearchToolbar.exe is 56,832 bytes in size and when it runs it drops these files on the system:

  • %Temp%awtrQGay.bat - 63 bytes
  • %System%yayyXRKe.dll - 38,912 bytes

It injects yayyXRKe.dll in explorer.exe process.

It also creates the following registry entries:

  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}InprocServer32
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionControl PanelSettings
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyyayyXRKe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoft0cd0861
  • HKEY_CURRENT_USERSoftwareMicrosoftcs41275

It then attempts to download http://childxxxx.com/pas/apstpldr.dll.html?affid=177194&uid=&guid=16560F811C084DA3B8270F85F0661238 and save it as %System%awtrQGay.dll.

Downloaded malware: awtrQGay.dll is detected by SonicWALL as GAV: Monder_3 (Trojan), it is another variant of Virtumonde/Vundo trojan and attempts to install Fake Antivirus software from bestantispywaresecurityxxx.com

SonicWALL Gateway AntiVirus provides protection against this attack via GAV: Monder_3 (Trojan) and GAV: AgentBypass_6 (Trojan) signatures.

The following figures shows the recorded hits for GAV: Monder_3 (Trojan) signature.

screenshot