FakeXvid.A – Increase in drive-by infections (May 20, 2011)

The SonicWALL UTM research team has seen a sudden increase in drive-by infection malware. Such infection takes place simply by visiting a website that uses a known browser exploit. Some of these websites are hosted on legitimate servers that have been compromised.

The Trojan is being actively spammed via e-mails containing malicious links:

The link in the email directs the user to a malicious website pretending to host a video that requires the XVID codec:

The website page contains an iframe HTML tag that causes the download of a malicious PDF file:

The PDF file employs a known (heap spray) exploit to run malicious code. The code decrypts and runs a script. This script downloads and runs setup.exe :

The webpage will also initiate the download of XvidSetup.exe :

The Trojan performs the following DNS queries:

• smtp.mail.ru

The Trojan creates the following files on the filesystem:

• C:Documents and Settings{USER}Local SettingsTempsetup.exe
• C:Documents and Settings{USER}Local SettingsTemporary Internet FilesContent.IE5SL2VSXQV37dbbd.pdf

The Trojan creates the following key in the Windows registry:

• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun AutoStart "C:DOCUME~1{USER}LOCALS~1Tempsetup.exe"

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

• GAV: FakeXvid.A (Trojan)
• GAV: Kryptik.NTI_3 (Trojan)
• GAV: Pdfka.OSQ (Trojan)