Fake McAfee E-mail protection tool – Banker Trojan (Apr 15, 2010)

SonicWALL UTM Research team discovered a new Banker Trojan spam theme involving fake McAfee E-mail Protection alerts. The e-mail for the instance we saw is in Portuguese and it warns the user about a computer virus infection.

The e-mail pretends to arrive from McAfee E-Mail Protection and informs the user about his computer being infected with a virus - Worm/Delf.JBH that is sending out malicious emails to all the contacts found on the computer. It further warns the user that the e-mail account will be permanently blocked if the virus is not removed and offers the user to download a fake cleanup tool from McAfee E-mail protection via a URL in the email. If the user clicks on the URL it leads to the download of the new Banker Trojan variant.

The e-mail message looks like:

The downloaded fake McAfee E-mail protection cleanup tool looks like:

If the user runs the malicious executable file, it performs the following activities:

• Downloads and executes two malicious executables files which are also Information stealing Trojan variants:
  • www.te(REMOVED)di.com/union/u6.jpg => C:sshs.exe
  • www.te(REMOVED)di.com/union/u7.jpg => C:ksso.exe

  Both the files are compressed with PECompact v2 packer. The site hosting these files appears to be compromised as shown below:

  

• The above executable files harvests e-mail addresses and logs other sensitive information on the victim machine and sends the stolen data via POST requests to a malicious domain.

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Banker.BXQ_3 (Trojan) signature.