The Statement of Fees malspam campaign continues today with additional messages containing new Trojans. This round is distributing the W32/Autorun.AFC.worm malware which connects and downloads a file called lspr.exe.
As we have been monitoring the threat landscape during the last couple of weeks we have noticed an increase in fake anti-malware applications being used to defraud users. While these applications themselves do not provide any level of security for the user in terms of detecting and removing malware; the application itself is designed to trick the user into thinking that they are infected via the use of pop-ups and enticing them to purchase a full version as a means of cleaning the system.
The objective is always financial motivation and this is one way they are making money by sending out Spam with Trojan downloaders hidden behind the links designed to install fake security software, in a majority of the cases Anti-virus XP 2008.
This morning the Celebrity spam campaign continued with a few new fake video codec sites delivering a downloader Trojan designed to install a fake security product known as AntiVirus XP 2008. It’s apparent now that a number of these spam campaigns are only interested solely in distributing this one particular fake security product. The file downloaded is called video99.exe or video66.exe and varies depending on the email message and the site used (HTML page names often correspond to the binary used index99.html, index66.html, etc).
Some of the subject lines of this particular spam campaign is:
“John McCain to Paris Hilton: Cosmo, baywatch!”
“Britney Spears Shaves Head at Request of Zombie Overlord”
A couple of minutes ago another round of spam messages appeared claiming to provide information concerning a statement of fees recently posted (inferring to banking account fees). The message contained an attachment with a fake Microsoft Word Document which actually is an executable (Fees-2008_2009.doc.exe) that installs a Trojan Downloader.
Further analysis indicates that the Trojan when installed connects to a php page hosted on a Russian domain to obtain several possible sites as a means of downloading the installer for AntiVirus XP 2008. The actual URLs are contained within this script and the file which is downloaded is lspr.exe (MD5 ffccd0518b04354532c733674c0faa00) and is identified as Adware/AVXP2008.
Spammers continue their efforts today with another round of celebrity oriented spam designed to entice users into watching a non-existent video. The fake video site exhibits the same behavior found in the CNN and MSNBC spam attacks covered earlier this month (i.e. a popup message indicates that the ActiveX movie control is out of date and the user is required to install an update to properly view the video).
The executable the user is forced into downloading and installing is known as install.exe or classified as a malicious Trojan – Trj/Exchanger (this particular threat will install AntiVirus XP 2008). It is apparent that the spammers are very interested in getting a large number of users to install and use false security products such as AV XP 2008 and it’s variants in an effort to generate revenue.
A few minutes ago we discovered another spam campaign this time offering an update to Microsoft Internet Explorer 7.0. What’s interesting about this particular message is it appears to be in exactly the same format as to what was used to distribute the get_flash_update.exe as seen in some attacks. The message comes from the address email@example.com so it appears to be. When you click on the link an executable with the filename update.exe is downloaded (this is a downloader Trojan).
|File size: 139776 bytes|
|PEInfo: PE Structure information( base data )
timedatestamp…..: 0x4898440b Tue Aug 05 12:14:03 2008
machinetype…….: 0x14c (I386)( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x33d2c 0x4a00 4.01 320f92325281cf38056300846e33e293
DATA 0x35000 0x1b020 0x1ae00 8.00 b2da8ac3f7624aaec4e58820ca98f3d1
.rsrc 0x51000 0x1000 0x600 6.54 5a86ae6138955d3b751ed9ef76093acd