Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42874
  • Total Topics: 16082
  • Online Today: 4137
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Worm Lures Victims with Indian Celebrity Video Links  (Read 2403 times)

0 Members and 2 Guests are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Worm Lures Victims with Indian Celebrity Video Links
« on: 07. January 2013., 09:31:50 »
Worm Lures Victims with Indian Celebrity Video Links

Malicious worms are found infecting customers through-out the year. They keep evolving to evade the Anti Virus detections. They add junk codes or come up with new custom packer, yet achieve their full functionality and reward their developers.

We have seen earlier how different types of malware use chat windows to download and spread across victims here and here.

This worm spreads by copying itself to removable drives and writeable network shares,and by modifying system settings. It can also send out messages via instant messaging client messages.

Spreading technique:


larger image

Payload

A file by the name Setting.ini is dropped into Windows system folder. It then tries to download other files from any URL specified randomly and once downloaded they are then executed.

What looked interesting to us was that some messages send by this worm actually had some Indian celebrities’ names like Aishwarya Rai,Nayanthara and Simbufollowed by a link.

The URLs are actually retrieved from setting.ini randomly.URLs point to a remote server which host a copy of worm. The following are few messages seen:

•·         “Aishwarya Rai videos ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

•·         “stream Video of Nayanthara and Simbu ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

•·         “Latest video shot of infosys girl ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

• “Latest video shot of infosys girl ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

•·         “cyber cafe scandal visit ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

•·         “World Business news broadcaster ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

•·         “Regular monthly income by wearing your shorts at the comfort of your home for more info ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

•·         “Nfs carbon download ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

•·         “Free mobile games ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

•“Nse going to crash for more ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”


From the look at the list of messages in setting.ini, we suspect this variant of worm was targeted against Indian computer users.

In case if the worm fails to read the content of setting.ini, it send one of the following messages (in Vietnamese) with the URL pointing to remote server hosting the worm.

• E may, vao day coi co con nho nay ngon lam

• Vao day nghe bai nay di ban•Biet tin gi chua, vao day coi di

• Trang Web nay coi cung hay, vao coi thu di

• Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?

• Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…

• Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…

• Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…

• Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon…


The worm also has the ability to enumerate through various applications running in the victim’s machine and terminating if the following were found:

• “Registry”

• “System Configuration”

• “Windows mask”

• “Bkav2006″

• “Trung tƒm An ninh m?ng Bkis”

• “FireLion”

The following system changes can be looked out for checking the presence of this worm:

• The presence of the following files:
<system folder>/regsvr.exe
<system folder>/svchost .exe
%windir%/regsvr.exe
New Folder.exe (with a folder icon)
The dropped files are all sample copies with Folder icon.

• Taksmgr.exe and Regedit.exe are disabled.

• AT1.job is created to ensure that the worm gets executed everyday at 9:00 AM.


larger image

• The presence of the following registry modifications:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
“Shell” = “explorer.exe regsvr.exe”HKCU\Software\Microsoft\Windows\CurrentVersion\Run
“Msn Messsenger” = “<system folder>\regsvr.exe”

We advise our customers to pay extra caution when they plug in their USB sticks and keep their DATS updated.

McAfee detects this worm as W32/Autorun.g.


Orginal article: Monday, December 24, 2012 at 6:48pm by Niranjan Jayanand

(corrected the orginal article link)
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Worm Lures Victims with Indian Celebrity Video Links
« on: 07. January 2013., 09:31:50 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising