Back to overview

Threat intelligence

Spam from your Facebook account – (Apr 29, 2011)

by Security News

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from Facebook abuse Department spreading in the wild. It involves the new variant of Oficla Trojan that SonicWALL blocked as GAV: Oficla.MME. This worm also downloads component files including mass mailer, info-stealer and FakeAV malware.

The sample e-mail format of the spam campaign includes the following:

Subject:

  • Spam from your Facebook account
  • Spam from your account
  • Your password has been changed

    •

Attachment: Attached_SecurityCode{Random Numbers}.zip

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Deletes the original executable file

Downloads other malware:

  • Application Datagog.exe - [ detected as GAV: FakeAV.MME (Trojan) ]
  • %windir%system32aspimgr.exe - [ detected as GAV: Mailer.G (Trojan) ]
  • %temp%Qojmytwjb.exe - [ detected as GAV: Mailer.G_2 (Trojan) ]
  • %temp%grabbers - [ detected as GAV: Grabber.A (Trojan) ]

Dropped files:

  • %windir%s32.txt
  • %windir%ws386.ini
  • %temp%_check32.bat
  • Application Datainstall

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Data:"C:Documents and SettingsresearchApplication Datagog.exe"
  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesaspimgr
    Value: ImagePath
    Data: %windir%System32aspimgr.exe

Network Activity:

HTTP GET Requests:

  • http://campaign{REMOVED}ions.ru/connect/load.php
  • http://campaign{REMOVED}hools.ru/connect/load.php
  • http://campf{REMOVED}om.ru/connect/load.php
  • http://camp{REMOVED}a.ru/connect/load.php

HTTP POST Requests:
This worm downloads a malware component that steals information from the system. It sends those information to this URL:

  • http://campaign{REMOVED}ations.ru/connect/grabbers.php

DNS Requests:

  • cl6{REMOVED}tart.ru
  • hy{REMOVED}ys.ru
  • ml6{REMOVED}art.ru
  • 94.244.80.60

Mass Mailer

    Checks for internet connectivity by connecting to the following sites

  • www.yahoo.com
  • www.web.de

Checks connectivity to SMTP servers by querying MX records as show below: screenshot

Collects e-mail addresses but ignores addresses with the following strings:

  • abuse
  • accoun
  • admin
  • anyone
  • apache.org
  • arachnoid
  • -bugs
  • ca.com
  • caube
  • cauce
  • cauce.org
  • certific
  • -certs
  • ci.el-paso.tx.us
  • cloudmark.com
  • digsigtrust
  • e-trust
  • example
  • fraud
  • gold-certs
  • google
  • ht.ht
  • icrosof
  • linux
  • listserv
  • mailwasher
  • majordomo
  • messagelabs
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • paulgraham.com
  • phishing
  • postmaster
  • privacy
  • rating
  • rx.t-online
  • samples
  • secur
  • service
  • somebody
  • someone
  • submit
  • support
  • symantec
  • thawte
  • the.bat
  • valicert
  • verisign
  • verisign.com
  • webmaster
  • webroot.com

Information Stealing
Steals credentials from the following applications:

    Poker Games:

  • Full Tilt Poker
  • Pacificpoker
  • PartyPoker
  • Titan Poker

    • FTP Clients:

  • BitKinex
  • Bullet Proof FTP
  • BulletProof FTP Client 2009
  • BulletProof FTP Client 2010
  • ClassicFTP
  • CoffeeCup FTP
  • CuteFTP 6 Home
  • CuteFTP 6 Professional
  • CuteFTP 7 Home
  • CuteFTP 7 Professional
  • CuteFTP 8 Home
  • CuteFTP 8 Professional
  • CuteFTP Lite
  • CuteFTP Pro
  • CuteFTP
  • Dev Zero G
  • DirectFTP
  • ExpanDrive
  • FAR Manager FTP
  • FTP Commander
  • FTP Explorer
  • FTPClient
  • FTPRush
  • FileZilla
  • FlashFXP
  • Fling
  • Frigate3 FTP
  • NetDrive
  • SmartFTP
  • Sota
  • TurboFTP
  • WS_FTP
  • WebDrive

    • Web Browser

  • Flock
  • Google Chrome
  • IE
  • Mozilla
  • Opera
  • Safari
  • Seamonkey
  • ThuderBird

    • IM Clients

  • AIM
  • ICQ
  • MSN
  • Messenger-2
  • Miranda
  • Trillian
  • Yahoo
  • Vypress

    • Mail Clients

  • Eudora
  • Forte
  • Mail Commander
  • Mail.Ru
  • POP Peeper
  • PocoMail
  • Windows Mail

    • Others

  • Myspace
  • Pandion
  • Sipphone

FakeAV

    After Installing the FakeAV application, it will show a Fake Microsoft Security Essentials Alert as seen below:

    screenshot

    After Clicking the "Scan Online" Button, it will show this message and prompts for rebooting the system:

    screenshot

    After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.

    screenshot

    screenshot

    screenshot

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: FakeAV.MME (Trojan)
  • GAV: Grabber.A (Trojan)
  • GAV: Mailer.G (Trojan)
  • GAV: Mailer.G_2 (Trojan)
  • GAV: Oficla.MME (Trojan)

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.