McAfee Labs

Worm Lures Victims with Indian Celebrity Video Links

0
By on Dec 24, 2012

Malicious worms are found infecting customers through-out the year. They keep evolving to evade the Anti Virus detections. They add junk codes or come up with new custom packer, yet achieve their full functionality and reward their developers.

We have seen earlier how different types of malware use chat windows to download and spread across victims here and here.

This worm spreads by copying itself to removable drives and writeable network shares,and by modifying system settings. It can also send out messages via instant messaging client messages.

Spreading technique:

 

Payload

A file by the name Setting.ini is dropped into Windows system folder. It then tries to download other files from any URL specified randomly and once downloaded they are then executed.

What looked interesting to us was that some messages send by this worm actually had some Indian celebrities’ names like Aishwarya Rai,Nayanthara and Simbufollowed by a link.

The URLs are actually retrieved from setting.ini randomly.URLs point to a remote server which host a copy of worm. The following are few messages seen:

  • ·         “Aishwarya Rai videos ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
  • ·         “stream Video of Nayanthara and Simbu ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
  • ·         “Latest video shot of infosys girl ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
  • “Latest video shot of infosys girl ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
  • ·         “cyber cafe scandal visit ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
  • ·         “World Business news broadcaster ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
  • ·         “Regular monthly income by wearing your shorts at the comfort of your home for more info ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
  • ·         “Nfs carbon download ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
  • ·         “Free mobile games ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
  • “Nse going to crash for more ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

From the look at the list of messages in setting.ini, we suspect this variant of worm was targeted against Indian computer users.

In case if the worm fails to read the content of setting.ini, it send one of the following messages (in Vietnamese) with the URL pointing to remote server hosting the worm.

  • E may, vao day coi co con nho nay ngon lam
  • Vao day nghe bai nay di ban
  • Biet tin gi chua, vao day coi di
  • Trang Web nay coi cung hay, vao coi thu di
  • Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?
  • Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…
  • Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…
  • Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…
  • Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon…

 

The worm also has the ability to enumerate through various applications running in the victim’s machine and terminating if the following were found:

  • “Registry”
  • “System Configuration”
  • “Windows mask”
  • “Bkav2006″
  • “Trung tƒm An ninh m?ng Bkis”
  • “FireLion”

The following system changes can be looked out for checking the presence of this worm:

  • The presence of the following files:
    <system folder>/regsvr.exe
    <system folder>/svchost .exe
    %windir%/regsvr.exe
    New Folder.exe (with a folder icon)

The dropped files are all sample copies with Folder icon.

  • Taksmgr.exe and Regedit.exe are disabled.
  • AT1.job is created to ensure that the worm gets executed everyday at 9:00 AM.

  • The presence of the following registry modifications:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    “Shell” = “explorer.exe regsvr.exe”HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Msn Messsenger” = “<system folder>\regsvr.exe”

We advise our customers to pay extra caution when they plug in their USB sticks and keep their DATS updated.

McAfee detects this worm as W32/Autorun.g.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>