AA ticket spam threat

Status
Not open for further replies.
markis10

markis10

Veteran Member
Joined
Nov 25, 2004
Posts
31,191
Qantas
LT Gold
Virgin
Red
Oneworld
Sapphire
SonicWALL Security Center

Back to SonicALERT

American Arlines Ticket Spam - XP Home Security 2012 (Dec 22, 2011)



Description


The Sonicwall UTM research team discovered a new spam campaign spreading a well known FakeAV: XP Home Security 2012. The Trojan spreads through email and arrives as a zipped email attachment purporting to be from American Airlines:


  • bredo.t_22_dec_1.png
The Trojan uses the following icon in an attempt to masquerade as a harmless PDF file:


  • bredo.t_22_dec_2.png
The Trojan performs the following DNS queries:

  • www.mortg{removed}.tv
  • Google
  • refunados{removed}.ru
  • www.tria{removed}.org
The Trojan spawns and injects code into svchost.exe causing it to make the following HTTP GET request from a compromised remote webserver:

  • bredo.t_22_dec_8.png
The Trojan downloads 1.exe, renames it to gio.exe and executes it. It uses the following icon:


  • bredo.t_22_dec_3.png
The Trojan adds the following files to the filesystem:


  • C:\Documents and Settings\{USER}\Local Settings\Application Data\gio.exe [Detected as GAV: FakeAv.JICD (Trojan)]
  • C:\Documents and Settings\{USER}\Application Data\csrss.exe [Detected as GAV: Bredo.T (Trojan)]
  • C:\Documents and Settings\{USER}\Local Settings\Application Data\708j72l30qfte5ro4u62483b417elw [Detected as GAV: FakeAvCn.C (Trojan)]
The Trojan adds the following keys to the Windows registry:


  • HKEY_CLASSES_ROOT\0J2\shell\open\command "C:\Documents and Settings\{USER}\Local Settings\Application Data\gio.exe" -a "%1" %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "C:\Documents and Settings\{USER}\Local Settings\Application Data\gio.exe" -a "%1" %*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "WinRAR SFX" "C:\Documents and Settings\{USER}\Application Data\csrss.exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "bieovju rundll32 C:\DOCUME~1\{USER}\APPLIC~1\MICROS~1\Protect\yxikrlc.n, dquc"
The Trojan deletes the following keys from the Windows registry to disable automatic updates:


  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSER\
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\
The Trojan runs gio.exe using the following command line:

    • C:\Documents and Settings\{USER}\Local Settings\Application Data\gio.exe" -dtm -a
The Trojan pops up the following FakeAV windows in an attempt to fool the user into buying the software:


  • bredo.t_22_dec_5.png


  • bredo.t_22_dec_7.png
 
Wow! They go to all this trouble to trick someone into purchasing software that does not normally sell very well, if at all.

So who is involved? Is it that hard to trace the money trail and prosecute those responsible?
 
Check out the latest credit card signup bonus point offers
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

Status
Not open for further replies.

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

Total: 1,113 (members: 8, guests: 1,105)
Back
Top