No - although it pretends to be sent by German authorities, it’s just another trojan.

Another spamming of Downloader-AAP happened this past Saturday, May 5th, 2007. Those spam runs are nothing unusual here in Germany – we usually see one or two a week. Today, Wednesday, May 9th we see almost the same again. Just the malicious binaries have changed.

While having some ongoing discussions about ‘Online Computer Spying by Intelligence Agents’ here in Germany, the body of the spammed mail pretends to be send by ‘LKA Rheinland-Pfalz’ – State Office of Criminal Investigation.

The user gets notified about an online search, because his IP address was found while monitoring Peer-to-Peer networks. Backups of the content of users hard drive got taken by the “Bundestrojaner”.

Further on, the user will face a criminal prosecution because of illegal software, movies and/or music files found on the machine. Detailed information about the online search can be found in the attached protocol.

No – no protocol – only another trojan. Don’t click!

Given the user executed the attached file, the trojan starts to download a copy of Spy-Agent.ba from different servers and executes it. All it does is drop a DLL in %windir%\system32 and to register it as Browser Helper Object (BHO) for the Internet Explorer, which captures confidential account information from different e-banks and uploads them on the attackers servers.

This DLL gets proactively detected as Spy-Agent.ba.dll.

Below is an example of a spammed mail:

Proactive detection for the new spammed Downloader-AAP and the Spy-Agent.ba.dll have been in the DATs before the spamming started. Detection for the new Spy-Agent.ba will be included in todays 5027 DATs.

�