Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.
When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.
We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties.
For example, we observed following icons:
- Auto-reader Module
- Adobe Reader HSMC
These crafted resources, as well as the malicious code, are the result of server-side polymorphism to attempt to evade detections by Anti-Virus software. McAfee Avert Labs detects the current wave of the downloader as BackDoor-DSG.dldr trojan, and dropped files as BackDoor-DSG with DAT 5474 or later.