Angelina Jolie video spam (Oct 6, 2008)

SonicWALL UTM Research team observed a new wave of the on-going Angelina Jolie video spam campaign starting on Monday, October 6, 2008. The email has a zip archived attachment which contains the new Downloader Trojan variant.

SonicWALL has received more than 60,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: video.zip (contains video.exe - UPX packed)

Subject: Angelina Jolie Free Video

Email Body:
------------------------
New sex scandal, Angelina Jolie porn watch in attached file
------------------------

The Trojan when executed drops following malicious files in the system folder:

• gzipmod.dll
• vbagz.sys

It also creates the following Registry keys to ensure that gzipmod.dll is installed as a Winlogon notification package:

• HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
• HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
• HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

The Trojan includes a backdoor component that listens on TCP port 6051 & 6052. It also tries to resolve the following domains and subsequently sends HTTP requests to them:

• sargej-grienko.com
• ulm-haafeulm-haa.com
• art8005.com

The Trojan is also known as Trojan.Spy.Goldun.NDU , Win32/Spy.Goldun.NDN trojan , and TR/Crypt.XPACK.Gen

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.XQL (Trojan) signature.