Wrong Hotel transaction spam campaign

July 28, 2011

SonicWALL UTM Research team observed a new spam campaign pretending to be from known hotels like Embassy suites, Marriott, etc in the wild. The e-mail contains an apology note from Hotel's reservation department listing details about a wrong transaction applied to your credit card. It further asks the user to download and fill out the refund form attached with the e-mail. The e-mail attachment is a zip file which contains a malicious Fake AV Downloader Trojan executable.

A sample e-mail message looks like:


A sample list of e-mail subjects showing various Hotels masqueraded in this campaign till now:


The executable file inside the zip attachment has an icon disguised as a Microsoft Excel file:


The file if executed will perform activity similar to what we have seen in previous variants:

  • Creates a process SVCHOST.EXE and injects code into it.
  • Reports the infected machine to a server on domain yomwar(REMOVED).ru by sending the following GET request:
    • GET /forum3/task.php?bid=a67a41eXXXXX23&os=5-1-2600&uptime=0&rnd=229125
  • Drops following files
    • (Startup)dxdiag.exe [Copy of itself that starts upon system re-boot and runs the Fake AV]
    • (Application Data)gL11000PgAgJ11000gL11000PgAgJ11000.exe [GAV: Fakesysdef.BDO (Trojan) downloaded from radio-80.com
    • ]

  • Deletes the original copy of the file.
  • Runs the downloaded new Fake AV Trojan variant which performs following activity after a 500 milisecond sleep:
    • Displays multiple fake infections in Rogue AV GUI
    • screenshot

    • Unlike previous Fake AV variants it does not hide the user program files but instead makes them unusable. It terminates any user initiated processes displaying a fake alert message
    • screenshot

    • Prompts user to purchase the full version in order to clean up the fake infections
    • screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

  • GAV: Injecter.GFY (Trojan)
  • GAV: Zbot.ASK_2 (Trojan)
  • GAV: Kryptik.QUV (Trojan)