McAfee TrustedSource
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Exploit.MS04-033.Excel.A2009-06-30
Worm.Agent.W.452009-05-06
Worm.Autorun.cbm.42009-03-08
Trojan.Dldr.Agent.bfbm2009-03-05
Exploit.PDF.33552009-02-28
Worm.Sohanad.BM2009-02-13
View Malware Library
 

McAfee Research Blog

Fake Madonna video turns the blue-screen on

August 22nd, 2008

Poor Angelina Jolie has been the spammer’s darling for the last weeks. Her name was misused in campaigns by Rustock, Srizbi, Grum, Pushdo and others - just to name a few. Now we’ve discovered new mass-mailings from the infamous Grum botnet, this time featuring popstar Madonna. The messages with subjects like ‘Video Madonna XXX !!!‘ promise a scandal video, purporting to be sent from Microsoft as part of an MSN subscription.

In fact the embedded link is not pointing to a video but to a malware executable named ‘madonna.avi.exe‘. The linked IP address hosting the malware, is a well known address that has excessively been used in other campaigns before, hosted in the Republic of Moldova.

After the malware is run, it replaces the desktop wallpaper with an image showing a Vista-stylish-looking dialogue warning the user of an infection with malware.

deskbg

With the infection of the trojan having taken place, it is not only accompanied by annoying popups but also by regularly appearing ‘blue screens of death’ (BSOD), or at least by what appears to look like a BSOD …

fakebsod

The popups offer a 1-click-downloadable rogue “virus scanner” to the user - that, once it has been installed and run, finds various malware whose presence on the ‘infected’ system is completely fictitious. It is just an endorsement used to push sales of the actual malicious item here, the rogue scanner: in order to be able to remove the fictitious malware it has to be paid for - that’s where your money is supposed to go.

fakeav

dispprop

Looking for the root cause of the fake bluescreens, we found the trojan to drop an executable, using a random file name, into the Windows system32 directory - silently in the background and without the user taking notice. It is then registered as a screensaver application by directly modifying the Windows registry’s settings. Another registry modification by the trojan is responsible for the disappearance of the Display Properties’ “Screensaver” tab - so the user won’t notice and won’t be able to change any settings related to the screensaver.

sysinternals

Upon examination of the dropped file and the trojan’s code, we can see that the screen saver is actually a packed version - potentially tampered or a remake of - the well-known and harmless BSOD joke screensaver from Microsoft’s Sysinternals. As the original paymentintention is to imitate a realistic looking “bluescreen of death” (BSOD), malware authors now use it to help persuading users to install their rogue antivirus software. This of course is done with the idea in mind to push even more sales of the ‘full version’ on desperate users.

The trojan actively communicates with its home servers in order to retrieve encoded configuration files containing download URLs, and to report back either success or failure of installations. The rogue software that is downloaded comes as XOR-encoded data appended to a graphics file. It is also kept track of all individual infections as the trojan transmits system specific data such as the ‘C:\’ hard disk drive’s serial number. Both malicious techniques are described in more detail in “The State Of Malware - Summer 2008“.

The Secure Anti-Malware Engine proactively detects the ‘madonna.avi.exe‘ as ‘Trojan.Dropper.Gen‘.


Author: Anti-Malware Team

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.