Malicious worms are found infecting customers through-out the year. They keep evolving to evade the Anti Virus detections. They add junk codes or come up with new custom packer, yet achieve their full functionality and reward their developers.
We have seen earlier how different types of malware use chat windows to download and spread across victims here and here.
This worm spreads by copying itself to removable drives and writeable network shares,and by modifying system settings. It can also send out messages via instant messaging client messages.
A file by the name Setting.ini is dropped into Windows system folder. It then tries to download other files from any URL specified randomly and once downloaded they are then executed.
What looked interesting to us was that some messages send by this worm actually had some Indian celebrities’ names like Aishwarya Rai,Nayanthara and Simbufollowed by a link.
The URLs are actually retrieved from setting.ini randomly.URLs point to a remote server which host a copy of worm. The following are few messages seen:
· “Aishwarya Rai videos ftp://tlpoeil:firstname.lastname@example.org <url>”
· “stream Video of Nayanthara and Simbu ftp://tlpoeil:email@example.com <url>”
· “Latest video shot of infosys girl ftp://tlpoeil:firstname.lastname@example.org <url>”
“Latest video shot of infosys girl ftp://tlpoeil:email@example.com <url>”
· “Free mobile games ftp://tlpoeil:firstname.lastname@example.org <url>”
“Nse going to crash for more ftp://tlpoeil:email@example.com <url>”
From the look at the list of messages in setting.ini, we suspect this variant of worm was targeted against Indian computer users.
In case if the worm fails to read the content of setting.ini, it send one of the following messages (in Vietnamese) with the URL pointing to remote server hosting the worm.
E may, vao day coi co con nho nay ngon lam
Vao day nghe bai nay di ban
Biet tin gi chua, vao day coi di
Trang Web nay coi cung hay, vao coi thu di
Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?
Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…
Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…
Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…
Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon…
The worm also has the ability to enumerate through various applications running in the victim’s machine and terminating if the following were found:
“Trung tƒm An ninh m?ng Bkis”
The following system changes can be looked out for checking the presence of this worm:
The presence of the following files:
<system folder>/svchost .exe
New Folder.exe (with a folder icon)
The dropped files are all sample copies with Folder icon.
Taksmgr.exe and Regedit.exe are disabled.
AT1.job is created to ensure that the worm gets executed everyday at 9:00 AM.
The presence of the following registry modifications:
“Shell” = “explorer.exe regsvr.exe”HKCU\Software\Microsoft\Windows\CurrentVersion\Run
“Msn Messsenger” = “<system folder>\regsvr.exe”
We advise our customers to pay extra caution when they plug in their USB sticks and keep their DATS updated.