AA ticket spam threat

[markis10]

SonicWALL Security Center

Back to SonicALERT

---

American Arlines Ticket Spam - XP Home Security 2012 (Dec 22, 2011)

---

Description


The Sonicwall UTM research team discovered a new spam campaign spreading a well known FakeAV: XP Home Security 2012. The Trojan spreads through email and arrives as a zipped email attachment purporting to be from American Airlines:

• 

The Trojan uses the following icon in an attempt to masquerade as a harmless PDF file:

• 

The Trojan performs the following DNS queries:

• www.mortg{removed}.tv
• Google
• refunados{removed}.ru
• www.tria{removed}.org

The Trojan spawns and injects code into svchost.exe causing it to make the following HTTP GET request from a compromised remote webserver:

• 

The Trojan downloads 1.exe, renames it to gio.exe and executes it. It uses the following icon:

• 

The Trojan adds the following files to the filesystem:

• C:\Documents and Settings\{USER}\Local Settings\Application Data\gio.exe [Detected as GAV: FakeAv.JICD (Trojan)]
• C:\Documents and Settings\{USER}\Application Data\csrss.exe [Detected as GAV: Bredo.T (Trojan)]
• C:\Documents and Settings\{USER}\Local Settings\Application Data\708j72l30qfte5ro4u62483b417elw [Detected as GAV: FakeAvCn.C (Trojan)]

The Trojan adds the following keys to the Windows registry:

• HKEY_CLASSES_ROOT\0J2\shell\open\command "C:\Documents and Settings\{USER}\Local Settings\Application Data\gio.exe" -a "%1" %*
• HKEY_CLASSES_ROOT\.exe\shell\open\command "C:\Documents and Settings\{USER}\Local Settings\Application Data\gio.exe" -a "%1" %*
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "WinRAR SFX" "C:\Documents and Settings\{USER}\Application Data\csrss.exe"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "bieovju rundll32 C:\DOCUME~1\{USER}\APPLIC~1\MICROS~1\Protect\yxikrlc.n, dquc"

The Trojan deletes the following keys from the Windows registry to disable automatic updates:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSER\
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\

The Trojan runs gio.exe using the following command line:

• • C:\Documents and Settings\{USER}\Local Settings\Application Data\gio.exe" -dtm -a

The Trojan pops up the following FakeAV windows in an attempt to fool the user into buying the software:

• 

• 

 

[KateMayo]

Thanks for the alert, markis10

 

[JohnK]

Wow! They go to all this trouble to trick someone into purchasing software that does not normally sell very well, if at all.

So who is involved? Is it that hard to trace the money trail and prosecute those responsible?