Wrong Hotel transaction spam campaign (July 28, 2011)

SonicWALL UTM Research team observed a new spam campaign pretending to be from known hotels like Embassy suites, Marriott, etc in the wild. The e-mail contains an apology note from Hotel's reservation department listing details about a wrong transaction applied to your credit card. It further asks the user to download and fill out the refund form attached with the e-mail. The e-mail attachment is a zip file which contains a malicious Fake AV Downloader Trojan executable.

A sample e-mail message looks like:

A sample list of e-mail subjects showing various Hotels masqueraded in this campaign till now:

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel file:

The file if executed will perform activity similar to what we have seen in previous variants:

• Creates a process SVCHOST.EXE and injects code into it.
• Reports the infected machine to a server on domain yomwar(REMOVED).ru by sending the following GET request:
  • GET /forum3/task.php?bid=a67a41eXXXXX23&os=5-1-2600&uptime=0&rnd=229125
• Drops following files
  • (Startup)dxdiag.exe
  • (Application Data)gL11000PgAgJ11000gL11000PgAgJ11000.exe [GAV: Fakesysdef.BDO (Trojan) downloaded from radio-80.com

  ]

• Deletes the original copy of the file.
• Runs the downloaded new Fake AV Trojan variant which performs following activity after a 500 milisecond sleep:
  • Displays multiple fake infections in Rogue AV GUI

  

  • Unlike previous Fake AV variants it does not hide the user program files but instead makes them unusable. It terminates any user initiated processes displaying a fake alert message

  

  • Prompts user to purchase the full version in order to clean up the fake infections

  

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

• GAV: Injecter.GFY (Trojan)
• GAV: Zbot.ASK_2 (Trojan)
• GAV: Kryptik.QUV (Trojan)