Worm Posts on SNS Sites and Wipes out Rivals

W32.Wergimog is a worm that attempts to spread through removable drives and opens a back door. When I looked into its variants, I found an interesting sample, which I named W32.Wergimog.B. Both samples are based on the same source code, but the .B variant contains even more interesting functionality that I would like to detail here.

For legitimate applications

W32.Wergimog.B injects itself into legitimate applications, such as Internet Explorer and Mozilla Firefox, as shown in Figure 1.

Figure 1. Threat injects itself into certain applications and then connects to the Internet

Once it confirms that the applications it has injected itself into have network connectivity, it performs the functions outlined below.

Posting on Social Networking Service (SNS) sites

If a user connects to any of the following SNS sites, the worm is capable of modifying a chat message, status update, or Tweet:

  • Facebook Chat
  • Facebook Wallpost
  • Hi5 Status Update
  • Hyves Status
  • Linkedin Status Update
  • Myspace Status Update
  • Omegle Chat
  • Tweet (Twitter)

Initially, the worm connects to the command-and-control (C&C) server to obtain the content that it posts to the SNS services. At present, we are unable to obtain these posts, but the posting command is called ‘spread’. It is likely, therefore, that the post contains a URL that points to a location where a user might download W32.Wergimog.B or some other malicious program.

This is not the first threat to attempt to spread through SNS sites. W32.Koobface, for example, also applied this approach. While there is an overlap in the sites that both of these worms use to spread, one distinction between the two is that unlike the Koobface family, W32.Wergimog.B does not make its own connection to the SNS servers by itself. Rather, it needs to wait for a user to make a new post and then the worm modifies it.

Account stealing

Another function of the worm allows it to steal user account and password information if a compromised user logs in to any of the following sites:

  • fileserve.com
  • hackforums.net
  • hotfile.com
  • megaupload.com
  • thepiratebay.org
  • uploading.com

It is interesting to note that some of the above sites are file sharing services. It is possible, therefore, that the stolen account information may be used to spread the worm through these download sites, thereby allowing it to spread even further.

Attack on rival threats

An interesting feature of this worm is that it also injects itself into other threats, as shown in Figure 2.

Figure 2. Injects itself into rival threats

The worm contains lists of rival threat names and signatures to determine if the threats exist on the same computer. The following threats are targeted:

  • DarkComet
  • IRCBot
  • Metus
  • RXBot
  • Warbot
  • xvisceral

The following image illustrates rival threat names and their corresponding signatures.

Figure 3. Threat names and corresponding signature “pairs”

After infection the worm hooks network communication on the computer. It then attempts to identify the signatures and end any processes of rival threats that it finds, as can be seen in the image below. This is very similar to how IPS software operates.

Figure 4. Wergimog.B kills processes of any rival threats that it finds

The targeted threats are very prevalent, so it may be that the W32.Wergimog.B author wants to avoid being removed along with these threats. This is because an increase in malicious network communications allows a user to be aware that an infection exists.

Sometimes we see a function in a threat that attempts to end the operation of rival threats, but generally speaking such functionality is very simple. For example, checking for a specific file path, process name, or registry entry. Conversely, the method employed by W32.Wergimog.B is very reliable as the signatures are very specific and thus it can be sure of stopping the rival threats.

In addition, both the original W32.Wergimog and the .B variant have three types of denial-of-service (DoS) attack vectors, which are UDP flooding, SYN flooding, and ‘Slowloris’. A DoS tool called Slowloris was released in 2009 and had a big impact on servers. It targets Apache 1.x, 2.x, and some HTTP servers. It’s a little old now but remains popular. W32.Wergimog variants use the same technique but we don’t know what the relationship is between the original tool and W32.Wergimog variants.

These two variants started to appear between April and June 2011, and both of them have continued to be reported on until April of this year. To avoid infection by the W32.Wergimog variants, keep your security products and OS updated. We are continuing to watch out for developments of the W32.Wergimog worm.