Our spam traps have been receiving thousands of malspam e-mails related to a new Sinowal (zbot) campaign over the past 24 hours. The e-mail attempts to trick users into creating a profile for H1N1 (Swine Flu) vaccination at the Centers for Disease Control website. The email reads: You have received this e-mail because of the launching of State Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people. Create your Personal H1N1 Vaccination Profile using the link: create personal profile—-Centers for Disease Control and Prevention (CDC) – 1600 Clifton Rd – Atlanta GA 30333 – 800-CDC-INFO (800-232-4636) The (several) websites used in this malspam campaign all start with online.cdc.gov.(malicious domain) and could easily convince the most suspicious users of its validity. The site reads: "Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug). All instructions you need are included in the archive below:Your Temporary ID (valid for 48 hours) H1N1-1574377270H1N1 Vaccination Profile – Download Archive (130Kb)"The campaign uses 6 different subject lines for its e-mails. The most common subject lines are Governmental registration program and Creation of personal Vaccination Profile. Infection information: Sinowal.WRN creates a copy of itself with the name SDRA64.EXE, in the Windows system directory.Additionally, it creates the following files, where it stores the information it has obtained:LOCAL.DS and USER.DS, in the folder lowsec, created by itself, in the Windows system directory.8.TMP and 9.TMP, in the folder Temp of the Windows directory. Sinowal.WRN modifies the following entry from the Windows Registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runwindowsl1vi = %sysdir%\%random file%.exewhere %sysdir% is the Windows system directory and %random file% is the filename with which the Trojan is copied.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinlogonUserinit = %sysdir%\userinit.exe,where %sysdir% is the Windows system directory.It changes this entry to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinlogonUserinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe,By modifying this entry, Sinowal.WRN ensures that it is run whenever Windows is startedCountry of malware origin: Ukraine
source
Posted under Malware Alerts
This post was written by Ted on December 3, 2009
