Fake Conficker Removal Tool – Agent.MSU (June 10, 2009)

SonicWALL UTM Research team observed a new Trojan Downloader spammed in the wild starting June 9, 2009 pretending to be from Microsoft Security Department.

The email pretends to contain important Windows XP/Vista security update related to the Conficker worm and also contains a link to download a removal tool. The download link points to the new Trojan Downloader. The link leads to download of the malicious executable file from a domain in Russia:

• windowsupdate.microsoft.com.(Removed).ru/remtool_conf.exe

The downloaded file has zero AV detection at the time of writing this alert and it looks like this:

When executed the Trojan performs following activities:

• Stops the Windows security center service (Service Name: wscsvc)
• Creates a new directory (Windows Temporary folder)nsf3.tmp and drops webexplorer.exe, nsExec.dll, and NSISdl.dll files in it.
• Opens up a new window displaying Symantec Trojan.Brisv.A Removal Tool 2.1.0.7 EULA:



• If the user clicks accept button and starts the tool it will run for a while and display a "fixbrisa" message box at the end:



• It attempts to connect to makemymoneys.com domain and downloads an Injector Trojan by sending HTTP GET request:
  • GET /install/winupdate.exe

  - Detected as GAV: Injector.PI (Trojan)

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.MSU (Trojan) signature.

Screenshot of the original e-mail message is shown below: