Michael Jackson Video Trojan (June 26, 2009)

SonicWALL UTM Research team observed a new Trojan Downloader - Adload.LI (Trojan) being spammed in the wild starting June 26, 2009. The spammed emails pretend to contain links to unseen videos and pictures of late Michael Jackson.

The link in the spammed e-mail points to a well-known radio broadcasting station website hosted in Australia. At the time of writing this alert, the link was still alive fetching the malicious file:

• www.beatzradio(REMOVED).Jackson_videos_fotos.php

The file gets downloaded as Michael.Jackson.videos.scr and has an icon disguised as a MPEG video file as seen below:

Screenshot of a download prompt from the well-known website is shown below:

When executed the Trojan Downloader performs following activity:

• Creates a Mutex Object _!SHMSFTHISTORY!_ to marks its presence in the system
• Opens up a legitimate website showing a news article related to Michael Jackson in Internet Explorer as seen below:



• Attempts to download malicious files from anella2009.dominiotemporario.com domain:
• GET /ba/foto.dll - saved as (Windows)Dynamic.dll (GAV: Banker.N (Trojan))
• GET /ba/michael.gif - saved as (System)fotos.exe (GAV: Banspy.F (Trojan))
• GET /ba/kproces.gif - saved as (System)kproces.exe (GAV: Banbra.NOR (Trojan))
• Runs the files downloaded above.

This Trojan is also known as TrojanDownloader:Win32/VB.LI and Trojan-Downloader.Win32.Adload

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Adload.LI (Trojan) signature.