New Undetected Worm

We're seeing a new version of the worms that we previously posted info about.

Some slight changes in the newest version: circulating with the name "newphoto011.jpeg-www.myspace.com", which I'm sure will change soon enough. This time, it hides a new process that loads "msnp2pmgr.exe". The authors keenly call it their "MSN P2P Manager". It connects back to xili.zerolost.org, hosted at a number of ip's...Addresses: 64.34.203.207, 66.135.32.35, 195.137.213.67, 195.149.74.40, 195.149.74.67, 64.34.161.89, 64.34.202.227.


The authors seem to be getting a bit more aggressive against security solutions, delivering a long list of modifications to the hosts file with their worm that can be seen on this ThreatExpert report (look to the bottom of the report under "The HOSTS file was updated with the following URL-to-IP mappings"). These modifications prevent a user from visiting sites that may describe this worm as malicious, and also block security solutions from downloading signature updates as well.


AV scanner detection catching up:

Fakealert Variant

Another Fakealert variant is effecting our user base.



Passing itself off as the usual "mediatubecodec_ver1.1277.0.exe" (do not run this file -- it really does not deliver useful codec components for playing videos), this downloader connects back to hxxp://xpantivirussecurity.com, and drops files like "1.exe" that deliver scary popups to alarm our users with false malware detections in an effort to coerce them into paying for a product that they don't need. Unfortunately, detection has been spotty, with some heuristics performing effectively.

Rustock Crackz

Last Thursday's post commented on malware commonly bundled with crackz. A large number of users are running files that appear to be distributed from a number of crack sites. We will not publish those domains on this post.

The filename bundles carry a common theme for a downloader that delivers more than a user would expect. Crack.exe, keygen.exe, patch.exe and install.exe have been bundled within phony cracks and released to a number of sites. They contain trojan downloaders, among other things, pulling down and executing spambot variants and many other malware executables, including our old friend Vundo. Here are just a handful of the bundle names that we've been seeing:
Microsoft_Office_Professional_Plus_2007.txt.exe
WINDOWSXPSP2ACTIVATIONCRACK.ZIP.EXE
popcapzumadeluxe!v1.0crack.zip.exe
COMMAND_AND_CONQUER_GENERALS_ZERO_HOUR_MULTI_KEYGEN_BY_FFF.ZIP.EXE
MAGICISO_V3.5_BUILD_0064.ZIP.EXE
WINDOWS_XP_HOME_EDITION_OEM_BUILD_2600_ACTIVATION_CRACK_BY_AMOL_A._MORE.ZIP.EXE
nero_8.2.8.0_serial.txt.exe
DYNOMITE_DELUXE_V2.71.ZIP.EXE
WARCRAFT_3_REIGN_OF_CHAOS_BY_RAZOR.ZIP.EXE
osadobephotoshopcs2tryouttofullactivationkeygenoscaria.zip.exe
SONIC_FOUNDRY_ACID_PRO_V4.0B.ZIP.EXE
ADOBE_PHOTOSHOP_CS2_CS2_SERIAL_NUMBER.TXT.EXE

Notice the clever(?) use of the double file extension, ending in .zip.exe or .txt.exe. DO NOT download and run these files.

In our labs, we find that running these files results in a ridiculous attack. The volume of malware that ends up running on the system is so large that the system becomes entirely unusable. We haven't seen an attack quite so bad since the 2nd-thought.com site was taken down.

One of the components infects services.exe on the system (often named "axer.exe"), and drops rootkit and spambot components (surprisingly, we see a consistent driver filename "pqasghjd.sys"), sending out waves of spam from this system process. The kernel level driver component hooks SSDT entries NtCreateKey, NtOpenKey and NtTerminateProcess, in an attempt to hide registry keys and prevent termination of the malware's user-mode processes. It also attaches to the Ntfs file system driver, in order to obscure access to its presence on-disk.

The spambot components download updated lists of user accounts and available smtp servers over http, and then peddles rather "adult" themes in outgoing messages. All of the messages include a link to phony "personal growth" pills for men. Here are a couple of "mentionable" subject lines, just to get a small percentage of users to actually open the message:
"Life will get better with this"
"Wanna know why she's hot"
"Jessica Alba bikini pics"
"All the love you need"
"Scarlett Johansson and Justin Timberlake spotted together"
"Get ready for a stunning improvement to your love life"
"Scarlett Johansson and Tom Brady spotted in Mexico"

I do not!

We continue to receive emails telling us that we're not smart enough or don't look good enough. It's not totally unusual, because that message frequently is communicated by the "beauty" and "diet" industries in magazines, tv ads, etc. How dreary.

A common scam continues to make the rounds, putting the two themes together and telling us that we even look dumb. The email message includes a link to a video file, implying we might look really dumb in this video. The message even looks like crass Onion humor -- next, they'll tell us that only nerds wear glasses. Now, they are telling me "You look really stupid". Unfortunately, users are falling for this bad line every day, and downloading and running "video1.exe" on their systems:


Also hosted at the compromised server is video.exe.

This work is from a russian gang, with the malware phoning back to a domain associated with other malware families in the russian federation:
Name: sr59.24ruhost.com
Address: 207.10.234.217
The owners of the compromised server have been notified.

These "videos" didn't show how dumb I really look. Instead, they download adware, rogueware, and other components. McAfee's researcher Paulo Palumbo beat us to the post this morning with a description of the blue screen that these downloaded rogueware installs frighten users with -- we'll note that this spammed executable link is one of its sources.
In our lab, we tried to reconfigure the Sysinternals' (acquired by Microsoft) screensaver used in this attack to "enable fake disk activity", but the necessary sysinternals components are not functional in this bundle. It's not even fun to tinker with, don't fall for this video.exe trick.

You're not ugly or dumb. You're beautiful, just right.

Elevated RBN Ip Range Activity

Currently, we are seeing user systems from all over the world being attacked by a series of rogueware and spyware components. The software is related to a web server at http://74.50.107.165, whose ip address you can find among other Coolwebsearch/Gromozon/RBN addresses in the Russian Federation (still known as the "Russian Business Network", even though much of the group moved operations to Panama and China). The authors continue to use many of the same simple filenames they started out with:
0.exe, 1.exe, 2.exe, 3.exe, 4.exe, 5.exe

Creative stuff, no?

The attack is using a variety of methods. One of the more effective techniques is simply bundling the software with "winpole2.exe" within a setup file, which was available as a another download at http://www.softportal2008-2008.com.

The dialog boxes' appearance are similar to the Microsoft Security Center, with claims that "Windows did not find Antivirus software on this computer", when the pages are not provided by "Windows" or Microsoft at all:



Clicking on one of the links provided by the Center-lookalike takes you to "thespybot.com", a one-off from the legitimate antispyware product SpyBot S&D:



The other link in the Center-lookalike takes the user to a page that reports on phony scan results:



Now, instead of dropping the rogueware known as "Brave Sentry", this new variant drops a variant of phony antivirus software "vav.exe", otherwise known as "Vista Antivirus 2008".


If that's not enough to convince the user to pay for the misleading product, they falsely alarm the user of "Spyware.IEPass.Thief" on their system.


Many of the components have very poor protection for now, see four of the scanners picking up for much of the dropped components:

Seeing triple?

And here we thought our vision was bad the other day when we were dizzy from seeing double.




And here we thought our vision was bad the other day when we were dizzy from seeing double.



And here we thought our vision was bad the other day when we were dizzy from seeing double.




Today and yesterday, some of our users were duped into seeing triple. Wav2008.com, sav2008.com, and vav2008.com all appear to hawk pretty much the same stuff. When we download and run each, we get the same misleading scam.
Here is a shot of the wav.exe gui after installing the product and running the scanner. The machine was infected and hundreds of malware and infected files resided on the system. The scanner claims to have found a couple cookies (which are pretty standard for any activity on the web) and some generic names:



Another window appears, reporting the 17 infections that it found and providing standard scary messages:



Any user looking to clean up the "Threats" is prompted with another dialog box for payment:



Running the setup on several other clean systems resulted in pretty much the same phony messages. The software will state that any system it is installed on is infected and payment is required to clean the infections up.
Here is a nifty control panel icon that they add, mirroring the Windows Security Center icon that is shipped by Microsoft:



One unfortunate thing that the distributors just forget to mention on the site is that uninstall functionality is missing from the free scan software, or should I say scam software. Because of this minor oversight, the software repeatedly displays nag windows to the user that a "Blaster/Sasser" attack has been detected, and multiple other infections have been found. Here is the add/remove applet on a system with the software installed, showing the lack of ease for uninstallation:



We'll get back to this topic when we see more than a dozen at a time.

One last note on this malware's behavior -- at runtime the software sets global hooks. This activity can be a major problem when you don't know or trust the source. Bill Mullins' blog posted some information suggesting "There have been some reports indicating that XP Antivirus 2008 has the potential to capture and transmit personal and financial information, although this remains largely unverified". Well, with the global hooks this software sets, the functionality is there to collect arbitrary information off the machine. We have not witnessed this software collecting arbitrary information off of the system and sending it home.

Wachovia link

If you have received an email with a confusedly long link for a supposed Wachovia site that looks like http://commercial.wachovia.online.financial.business....cashman766.com/Service.htm, delete it. It seems that users in Great Britain are receiving these messages. That page will serve up file "wachovia_certificatev102.exe". When run, you do not install certificates new to Wachovia.

Instead, this trojan downloads "cb_1.exe" and runs it, installing multiple password stealing and rootkit components that are not new (but this version of the fraudulent scheme is new). The components, including 9129837.exe (Spyware.Papras) and new_drv.sys (Rootkit.Agent.ex) will steal all web form input (from any and all banks, for example), most any other stored passwords on the system, and send the data off to a server hosted in Singapore.

MSN IM Worm

Another MSN IM-worm is making the rounds, in an effort to create yet another IRC-based botnet. Almost all of the activity that we are seeing is coming from our user community in Italy, Spain, Argentina and Peru.

A message will arrive, asking "Is this your photo?", and will either carry with it an attachment that appears to be "134453_9198.JPG-WWW.MYSPACE.zip" and within it "134453_9198[1].JPG-WWW.MYSPACE.COM" or "134453_9198.JPG-WWW.YOUTUBE.COM",
"134453_9198.JPG-WWW.MSNSPACES.COM" and
"IMAGE_134453.JPG-WWW.MYSPACE.COM".
The file may be delivered via a link in the message as well. When executed, the file copies itself to temp as taksmgr.exe and the windows directory as wksvcsc.exe or
winudpmgr.exe and attempts to send itself to everyone in your MSN address book. Variants have attempted to phone home to m.bihsecurity.com over IRC and other channels. The activity is recorded in this ThreatExpert report.


VirusTotal results help explain why this one is spreading:

File image_134453_9198.jpg-www.myspace received on 06.04.2008 18:16:28 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.5.30.1	2008.06.04	-
AntiVir	7.8.0.26	2008.06.04	Worm/IrcBot.43803
Authentium	5.1.0.4	2008.06.04	-
Avast	4.8.1195.0	2008.06.04	-
AVG	7.5.0.516	2008.06.04	-
BitDefender	7.2	2008.06.04	-
CAT-QuickHeal	9.50	2008.06.04	Backdoor.IRCBot.dip
ClamAV	0.92.1	2008.06.04	Trojan.IRCBot-2456
DrWeb	4.44.0.09170	2008.06.04	-
eSafe	7.0.15.0	2008.06.04	-
eTrust-Vet	31.6.5847	2008.06.04	-
Ewido	4.0	2008.06.04	-
F-Prot	4.4.4.56	2008.06.02	-
F-Secure	6.70.13260.0	2008.06.04	Backdoor.Win32.IRCBot.dip
Fortinet	3.14.0.0	2008.06.04	-
GData	2.0.7306.1023	2008.06.04	Backdoor.Win32.IRCBot.dip
Ikarus	T3.1.1.26.0	2008.06.04	Backdoor.Win32.IRCBot.dip
Kaspersky	7.0.0.125	2008.06.04	Backdoor.Win32.IRCBot.dip
McAfee	5309	2008.06.03	-
Microsoft	1.3604	2008.06.04	-
NOD32v2	3158	2008.06.04	Win32/IRCBot.AGQ
Norman	5.80.02	2008.06.04	-
Panda	9.0.0.4	2008.06.04	Suspicious file
Prevx1	V2	2008.06.04	Worm
Rising	20.47.22.00	2008.06.04	-
Sophos	4.30.0	2008.06.04	Mal/Generic-A
Sunbelt	3.0.1144.1	2008.06.04	-
Symantec	10	2008.06.04	-
TheHacker	6.2.92.333	2008.06.03	-
VBA32	3.12.6.7	2008.06.03	-
VirusBuster	4.3.26:9	2008.06.03	-
Webwasher-Gateway	6.6.2	2008.06.04	Worm.IrcBot.43803
Additional information
File size: 43803 bytes
MD5...: 7029a5feddc61e7da347b80c0fa3cc48
SHA1..: 431d7e328245dfd493fce228901c97af2912f7b2
SHA256: 7a35c959f1c7026115fa41253a782a36909a12a9301ec5d9453c25e238f304cc
SHA512: c29a762a71e28842fd65e2fc798ad79ba4c25ccaa21d57f1e0ac7c708fc107a6 0f99c528d16d79eb8ab085cb26472d8a892aa4c79e35dd25e01d3cd388b403de
PEiD..: -

We saw this same sort of IM-worm activity in December.


Update -- It's now June 24th. Some of the other vendors' research teams have had the time to get a little more certain on this worm. Maybe just a nudge would help... ;)

Year of the Rogueware

Another misleading AV package keeps returning to our lists, modified by its writers and rereleased constantly to minimize AV detection and widen their window of opportunity to mislead users. As previously posted, the themes for this stuff change fairly frequently. But this one, WinSpywareProtect, is like a bad rash that keeps coming back. We find users attempt to run its installer, Install1.exe, and its payload, winspywareprotect.exe, on their ThreatFire community systems far too often.

The web site is fairly convincing. It appears as though the software company has won a number of awards. Any amount of googling, however, will show that these award logos are completely illegitimate:




















AV detection is somewhat shoddy for the installer during this window of opportunity:




















Careful with what you are installing on your system. As in our previous post linked above, fraud and rogueware are rampant efforts -- social engineering can have a payout.

Ongoing targeted attacks during Tibet, Burma controversy and Olympic torch protests

Unfortunately, targeted computer attacks commonly occur. This morning's NPR show exposed such problems in regards to activists and journalists in China. Sadly, not much data is public about these sorts of attacks and it would be easy to speculate that such types of attacks are on the rise. Sometimes, the groups being attacked do not want members to be exposed or further put into public light and sometimes they do not fully understand they are being attacked. The NPR audio mentioned groups like the Falun Gong, Students for a Free Tibet, Human Rights in China and some China-based foreign journalists. Often, the attackers' identities are more difficult to uncover than more entertaining examples we've given in the past. While spoofed sources may seem to be from friends or friendly members of organizations, the true source remains in the shadows, hiding university or seemingly public ip addresses.

The various code used in targeted attacks that we have evaluated to date are not terribly impressive pieces of malware. The trojans and spyware often are delivered over email as embedded data within files of all formats with enticing names that the recipient would most likely be interested in. For example, the NPR interview mentioned a "resume.doc" file that was delivered to current board members and staff of the targeted Students for a Free Tibet from the spoofed email address of an ex-board member. These Microsoft Word docs, Excel spreadsheets, malicious .chm help files, and Powerpoint slideshows usually are malformed in one way or another to attack vulnerabilities in flawed software on the receiver's side. When opened by outdated software, these maliciously crafted files and the included code drop and run trojans and spyware embedded in the files on the victim's system.
Most can be prevented by keeping software updated and patched, running security solutions, and as always, security in layers is recommended.

The audio mentions that most AV scanners are often evaded by the software components of these targeted attacks (an unusual admission from a member of the AV industry!). And that trojan builders create nastier rodents in response to the AV companies' better mousetraps.
ThreatFire is different -- our behavioral-based cat is bigger and faster than that little piece of cheese sitting on the wire and wood thing in the attic. Purrs like a kitten too.

Storm using Zlob tactics and spoofed codec theme

Ok, I'm convinced, this group is falling apart. The storm gang has splintered off into separate directions. Some appear to be teaming up with the same bunch of guys that distribute rogue antispyware. In this case, they are providing exploit-less web pages hastily thrown together that politely serve up a codec. The title bar of the web page remains at "I love you" from the last theme, and current malicious storm page content pushes a "Storm Codec", copycatting the Zlob rogue antispyware pushers' theme of enticing video codecs:





















"You have no Storm Codec on your PC". Keep it that way. Do not download and run "Stormcodec.exe" or StormCodec8.exe" from unusual sites.

Btw, this theme is apparently a spoof on the Storm codec plugin offered at Softpedia and other freeware distributors. The original plugin apparently handles a number of formats, but has been bundled with malicious Trojans. The "Stormcodec7.exe" installer for that plugin on the Softpedia site appears to be over 20 mb, while the malicious binaries from a couple malicious Storm sites that we collected are ~137kb for now.
The current Storm sites contain images ripped from blogs and web pages like these, where it was described as the "dominant media player in China Windows system":




















The securityzone and Arbor Networks blogs are making note of the "fastflux" dns technique for the currently malicious domain used this time around at "_supersameas _. _com_".

MonaRonaDona Mystery Solved

Brain Krebs at the Washington Post blogged today about a pretty common, unusually mysterious, and very badly named extortion scam, "MonaRonaDona":
"Nobody seems to know how the thing wiggles into infected PCs in the first place, but the one thing that's clear is that this invader's primary purpose is to call as much attention to itself as possible...This piece of malware disables a number of programs on the victim's PC, changes the title of each Internet Explorer Window to include its name, and pops up the warning shown in the adjacent screenshot."

Our talented friend Roel at Kaspersky blogged about symptoms that they've seen as well, without much to add about its origins:
"How the malware actually reaches the system isn't entirely clear at the moment. When first run, the only thing the program does is register itself to start at Windows boot. As symptoms of infection aren't immediately visible, this makes it harder for victims to pinpoint what they were doing when they actually got infected. "

We were analyzing the same threat earlier this morning, when one of our support team was contacted about the problem. Our ThreatExpert and ThreatFire protected community provided the binaries to find some answers.

Some of these users unfortunately were persuaded over the past week or so to run a version of "RegistryCleaner2008.exe" (afec3d0f13b8f866f2c2eec122024165 for you researchers out there), as can be seen here:




















Along with a particular version of "RegistryCleaner2008.exe", came a little friend by the name of "srvspool.exe" and friends. Some of the infection symptoms are somewhat simple and silly compared to other threats we've been researching -- "MonaRonaDona" appears in the Internet Explorer title bar, the "DisableTaskManager" key in the registry is set so users cannot use Ctl+Alt+Del to kill the threat on their system, and "srvspool.exe" appears in the All Users startup folder.

Interestingly, the release coincided with the shortlived appearance of an antivirus suite at www.unigray.com. Notice the "New Spyware Threats" list in the bottom right corner contains #1 new find "MonaRonaDona". At the moment of posting, googling for this dreadfully named virus family turns up no results from any of the credible AV vendors:


















Meanwhile, a mysterious poster "ParadiseForever" claimed that "The computer virus by the name Monaronadona is causing widespread havoc by infecting computers everywhere" and that "The only solution would be to install a good AntiVirus software package which can detect and kill the virus. There are a lot of free AntiVirus softwares available online. However the normal antivirus such as Norton or McAfee may not work for this Virus.
You can try dowloading the Unigray Antivirus which is considered the best for removing the monaronadona virus compared to the other spyware / antivirus programs", which can be seen here:


























And here is an attempt to lend credibility to this overpriced false positive producing Unigray scanner, by putting it in the same list as established and well known AV vendors:




















Note that it has been reported by other researchers that users' search engine results are modified in some way, but we have not witnessed this activity. Instead, the rogueware authors have posted at Digg and other sites in order to appear as top Yahoo and other search engine hits for the search term "MonaRonaDona", with pages that promote the rogueware Unigray AV scanner.
A clean system shows that the top unsponsored result at the yahoo web site takes you to the phony "ParadiseForever" post at hubpages.com:



















More of the scam can be read about on Krebs' post, where he instructs users "If you're a victim of this extortion scam, please don't pay up."

We'll have more details about the binaries and provide updated information as well. In the meantime, we are pleased to report that the source of this Rogueware is quiet at the moment:

Infested stock message boards and a quick response

Sometimes, surprising events in the financial news draw users to the message boards. On Yahoo!, individual stock message boards are usually a safe haven for posting and browsing.
Right now, one stock at the Yahoo finance site appeared to have an almost 60% drop for the day. Instead, the company might be performing a reverse split with little notice. There is no news headline about a reverse split for the company, so the next logical step would be to check out the message boards and see what other users might be sharing.

Once on the message boards, a user may fall for friendly advice like "This Video Forecast should help“"(link intentionally removed). DO NOT FOLLOW THESE LINKS RIGHT NOW. We decided to follow these links once we saw them. After following one of them, our goat lab systems became totally infected by malware and completely unusable. Adware, worms, multiple processes and more were overloading the system's capacity. We can only post an image at this point of the link to the infecting site (DO NOT VISIT THESE LINKS). These attackers are acting quickly on the confusing financial news:

























UPDATE: It seems that the web links spammed to the message boards may be linked to a handful of web servers that were compromised. For example, here is a list of spammed links to another message board. We highlight one in particular in red:
















Here is the web page at the highlighted link's destination, apparently revealing a compromised site. Most likely, the malware and exploits served up at these sites were the result of compromised servers:














The operators of these sites seem to be on top of the problem, and almost all of the links we're visiting are now cleaned up.

These short lived and effective attacks can ruin your day. They lurk in the most unexpected of places, not just the adult and warez sites. Be sure to keep your security solutions updated.

Bring in the New Year with a new Storm variant

What a generous way to bring in the new year. The Storm/Peacomm gang, the same group whose activities we presented at VB2007 and posted about previously, has not disappeared. The holidays brought a round of Christmas-themed spam, complete with a simple link to a njinx servers and the promise of a friendly xmas related message. In the past couple of days, they have turned towards a new year theme:
"Happy New Year!
Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run. Enjoy!"

Consistent with their past attacks, the executable name is themed as well. We have seen "happynewyear2008.exe", "happy_2008.exe" located on servers in Poland and multiple sites around the world. But in a small departure from using just unregistered ip addresses, these malware serving web hosts are now registered with cute, related DNS .com domains, like "newyearwithluv" or "hellosanta". The gang broke another trend and flashy graphics on the sites are not present either.

We are seeing a strong uptick in the number of users actually running these files (happy-2008.exe, happynewyear2008.exe, happy_2008.exe, happy_2008.exe, happynewyear.exe) on their systems. Please exercise caution when visiting links that were sent to you, update all of your system patches at the Microsoft Update site, and if using Quicktime or Firefox, update them as well.

Cheers to secure computing and happy New Year!

Surge in IM worm activity -- don't look at that cute puppy

We're seeing a surge in IM-worm activity today. We've been seeing a higher level of activity for this type of attack for the past couple of weeks now.

If you receive a file over Yahoo! or MSN Live Messenger service that looks like image021.zip, DO NOT download it. It drops what appears to be a keystroke/vpad scraping bot that phones home to an ip address in Turkey. It also downloads more components from servers in Shanghai and New Zealand.

Here is a screenshot of the MSN Live Messenger client handling the incoming message. The incoming message arrives from one of your contacts as image021.zip, or something close to that name. It arrives alongside a cute message listed below. In our lab, the zip file arrived underneath
"hey look @ my cute new puppy :-D"
























These lines of text are being changed by the authors/distributors. They maintain a "chat.txt" file that is downloaded by the bot from a server in Austria containing all the comments that the worm may chat. Here are the current cute comments the message might arrive as:
hey look @ this picture of me, when I was a kid
I just took this picture with my webcam, like it?
hey look @ my cute new puppy :-D
hey man, did you take this picture?
holly cow this picture is nasty check it
check it, i shaved my head
have u seen my new hair?
what the ____, did you see this?
hey I'm sending you a profile pic tell me if its nice k?
haha lets hope your parents dont see this picture of you :D
hey did i ever show you this picture of me?
is it ok if I add this picture of us to my new slideshow?
can i upload some of these pics of you to my myspace profile?
you care if i put this pictuer of you in my new album?
I cant believe they wanted me to upload this picture to facebook lol.
Lmfao hey im sending my new pictures! Check em out!
is it alright if I upload this picture of us to myspace?
is it alright if I upload this picture of us to facebook?
do you see anything strange in this picture about me?
Wanna see my pics before i send em to facebook?
you mind if I upload this pic of us to my online album?
do you think this picture is too kinky for Myspace?
This picture isnt you... right?
Wow i think i found your pic on myspace!
do I look dumb in this picture? I want to put it on myspace.
sry about the messup i fixed the pic! Try it one more time pz
is this pic tooo sexy for photobucket??
my crazy sister wants u to see these pics for some reason... take a look
ohhhh myyy look at this pic haha!
wow! look at this old picture i found....
wanna see this pic of my Boobs?
haha, this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
dude i just got these pictures off my digital for you! Gimme a moment to find em and send
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Hey just finished new myspace album! :) theres a few kinky ones in there!
hey you got a myspace album? anyways heres my new myspace album :) accept k?
Dude i found your picture on hotornot.com! Take a look!


Note- you can observe the struggle that this poor soul went through after downloading, unzipping and running the "album1of42.zip" file they received over MSN Messenger. They unfortunately are seeking out volunteer advice for the time consuming steps of cleaning up a system infected with this worm.

Update: This same sort of IM-worm activity will surge in different parts of the world six months from now.

Sunbelt IeDefender/zoey zane find still up and running

Monday morning, Adam Thomas of the Sunbelt crew posted about a sick0 scheme to use the information from a shocking news story about the death of a girl to lure in new rogueware IeDefender victims. While we haven't seen a large spike in the downloads of this stuff, we've been monitoring the site -- it remains up.

In our lab, we saw closely related but slightly different results. The videomp3_setup_.exe file, when manually run, pops a couple of different and changing windows:
























Following the rogueware install, the software will open an Internet Explorer window, conveniently googling the term "sex" for you, and injecting its own html into the results, spoofing the google results. The first chunk of injected HTML is a warning posing as though it is from google: "Google Error! Your computer is infected!..."
The second chunk immediately follows the fraudulent claim. It inserts a pornographic image next to a phony link that claims to be on the youtube site (clicking on it directs you to a completely different porn domain, not youtube). You can see the (censored) fraudulent results here:





















Unfortunately, scanner results seemed to be spotty to non-existent for this threat:

We've distributed samples to the appropriate people for inclusion in other security products' protection.

A tsunami inheritance

Old scams don't go away. The Nigerian 411 scam became a bit more sophisticated not too long ago. In addition to the weepy story of a mysterious, deceased, incredibly wealthy relative that left no will but left behind lots and lots of money, the senders include a link to news stories around the globe. Somehow, the link is supposed to add credibility to this anonymous person's claim from South Africa. Here is an example that got through Yahoo!'s spam filter today, notice the link circled in red. This news story happens to be from 2004:

















If you receive one of these, delete it.

In our lab, we clicked on the link, and it took us to a legitimate CNN story. See the linked page here:


























Aw, come on, doesn't that make it believable?
No. This sort of email is fraudulent. Delete it.

AVKiller making the rounds again

We're hearing more reports of AV killing bots being spammed in Europe again. Back in September, we posted an analysis of a driver that modifies the file system stack. In human terms, that means the driver disables most real-time anti-virus scanner functionality (it's the anti-virus software magic that can scan a file when you copy it to your drive, and immediately identify the file as malicious). Luckily, this time around, eighteen of the thirty-two scanners maintained on Virustotal detect the portion of this critter. It is the downloader that is emailed to users (when we first saw the file, detection rates were almost non-existent):


























The email message containing the AVKill/rootkit attachment is getting through spam filters this time around. The best advice, if you receive an email with an enticing subject line like "Free Hot Game" or "Free Sports Tracker" and the text of the message is nonsense, is to delete it immediately.

Microsoft Security Bulletin MS07-0062?

While there may be some important Microsoft updates, none of them will arrive via email. Write it down. Microsoft does not send out updates via email. Do not click on links related to Microsoft's updates that arrive via email.

There seems to be a new variant of some old mischief being sent out. Remember, Microsoft NEVER sends out updates via email. Do not run any executable sent to you with the subject line "Microsoft Security Bulletin MS07-0062".

If you want to update your Windows system or check for new patches, go to your Start Menu and find the "Microsoft Updates" or "Windows Updates" shortcut. Or, just go to the Microsoft Update page using Internet Explorer.

Creepy kitty

Their social engineering team hasn't run out of ideas yet, but the attacks are starting to look a bit creepy. Here is a screenshot of the latest Storm related attack site:


























It's not reproduced all that well on this blog posting, but the image is a flash file, and the cat's head vibrates up and down rapidly.
So now they are taking on that group of people that forward disgustingly "cute" pictures of animals.

At the bottom of this page, when visited with Firefox, the authors include a treat -- if you don't want to download and run the malicious "SuperLaugh.exe" file hosted on the site, they'll run it without your permission by attacking the Windows Media Player vulnerability. If you use Firefox, be sure to update it by clicking Help -> Check for Updates...
The pages attack IE and Opera also, so be sure to update them if you haven't already.
All exploits from these Storm related web pages are stopped by Threatfire as always...