Worm Lures Victims with Indian Celebrity Video Links

Malicious worms are found infecting customers through-out the year. They keep evolving to evade the Anti Virus detections. They add junk codes or come up with new custom packer, yet achieve their full functionality and reward their developers.

We have seen earlier how different types of malware use chat windows to download and spread across victims here and here.

This worm spreads by copying itself to removable drives and writeable network shares,and by modifying system settings. It can also send out messages via instant messaging client messages.

Spreading technique:

 

Payload

A file by the name Setting.ini is dropped into Windows system folder. It then tries to download other files from any URL specified randomly and once downloaded they are then executed.

What looked interesting to us was that some messages send by this worm actually had some Indian celebrities’ names like Aishwarya Rai,Nayanthara and Simbufollowed by a link.

The URLs are actually retrieved from setting.ini randomly.URLs point to a remote server which host a copy of worm. The following are few messages seen:

  • ·         “Aishwarya Rai videos ftp://tlpoeil:[email protected] <url>”
  • ·         “stream Video of Nayanthara and Simbu ftp://tlpoeil:[email protected] <url>”
  • ·         “Latest video shot of infosys girl ftp://tlpoeil:[email protected] <url>”
  • “Latest video shot of infosys girl ftp://tlpoeil:[email protected] <url>”
  • ·         “cyber cafe scandal visit ftp://tlpoeil:[email protected] <url>”
  • ·         “World Business news broadcaster ftp://tlpoeil:[email protected] <url>”
  • ·         “Regular monthly income by wearing your shorts at the comfort of your home for more info ftp://tlpoeil:[email protected] <url>”
  • ·         “Nfs carbon download ftp://tlpoeil:[email protected] <url>”
  • ·         “Free mobile games ftp://tlpoeil:[email protected] <url>”
  • “Nse going to crash for more ftp://tlpoeil:[email protected] <url>”

From the look at the list of messages in setting.ini, we suspect this variant of worm was targeted against Indian computer users.

In case if the worm fails to read the content of setting.ini, it send one of the following messages (in Vietnamese) with the URL pointing to remote server hosting the worm.

  • E may, vao day coi co con nho nay ngon lam
  • Vao day nghe bai nay di ban
  • Biet tin gi chua, vao day coi di
  • Trang Web nay coi cung hay, vao coi thu di
  • Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?
  • Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…
  • Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…
  • Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…
  • Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon…

 

The worm also has the ability to enumerate through various applications running in the victim’s machine and terminating if the following were found:

  • “Registry”
  • “System Configuration”
  • “Windows mask”
  • “Bkav2006″
  • “Trung tƒm An ninh m?ng Bkis”
  • “FireLion”

The following system changes can be looked out for checking the presence of this worm:

  • The presence of the following files:
    <system folder>/regsvr.exe
    <system folder>/svchost .exe
    %windir%/regsvr.exe
    New Folder.exe (with a folder icon)

The dropped files are all sample copies with Folder icon.

  • Taksmgr.exe and Regedit.exe are disabled.
  • AT1.job is created to ensure that the worm gets executed everyday at 9:00 AM.

  • The presence of the following registry modifications:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    “Shell” = “explorer.exe regsvr.exe”HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Msn Messsenger” = “<system folder>\regsvr.exe”

We advise our customers to pay extra caution when they plug in their USB sticks and keep their DATS updated.

McAfee detects this worm as W32/Autorun.g.

Ransomware: Extorting Money by Panic and Pressure

We have blogged in the past about Ransomware being a growing menace and that ONE SHOULD NOT PAY RANSOM if affected. Ransomware has now raised its ugly head up once again. Writers of Trojan.Ransomlock.G (a.k.a. Reveton) have updated their locking screen to induce panic and to blackmail the user into paying ransom.

Recently, blogger Kafeine found a ransomware sample which threatens to format and wipe all the documents on the compromised system if the user attempts to unlock the computer manually.
 

Figure 1. New Trojan.Ransomlock.G lock screen
 

Symantec Security Response has analyzed the malware sample and did not find any code related to this wiper functionality. In our tests we also manually removed the ransomware from the system and unlocked the computer without any formatting or files being deleted.

If we take a close look at the image, there are three major changes to the lock screen compared to the lock screen the attackers were using a month ago.
 

Figure 2. Updates to the Trojan.Ransomlock.G lock screen
 

The following changes were made:

  1. Attackers added a fake warning (to format the operating system and delete all documents)
  2. Attackers increased the ransom amount (from $200 to $300)
  3. Attackers introduced a countdown timer (to allow only 48 hours to pay the ransom)

This is an attempt to extort money from computer users by taking advantage of human weakness when under panic and pressure. If you are affected by Trojan.Ransomlock.G, DO NOT PAY THE RANSOM. Instead refer to our removal instructions. For more details on Ransomware read our whitepaper.

Hacked Sites – An Open Door To Malwares

Compromised websites have been an attractive target for cyber-criminals. These websites distribute different malwares designed to steal valuable information from the victim’s machine. McAfee has recently encountered a compromised website which distributes malicious .jar file and Fake AV.

The compromised web page has an iFrame which reidirects the user to download a malicious .jar file.

The link to the compromised website may arrive via email as part of a spam campaign to lure the user into clicking the malicious link. After accessing the compromised website, it shows a fake message box about critical process activity on the computer.

On clicking the OK button, it opens a .PNG file hosted in the compromised site. This .PNG file shows a fake alert image pretends to be from a security product that scares the user into thinking the computer is seriously infected by critical malware and suggests that the user clean the computer.

The compromised website has another iFrame that allows downloading a malicious file when the user attempts to click on the .PNG file.

Upon executing the malicious file, it shows variety of fake security alerts and warnings.  Also, this rouge variant uses a different GUI, depending on the version of the operating system it infects.

Finally, it attempts to convince the user to purchase the full version of fake product.

McAfee strongly recommends that users exercise caution when opening unsolicited emails. Ensure your anti-malware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites. McAfee detects this malware as “FakeAlert-FFO” and the .jar file as “Exploit-CVE2012-1723”.

 

 

Is it Wiper again? Not exactly !

Targeted attacks have been around for a number of years, that attempts to breach the security measures of an organization.  Each targeted attack uses its own aspects to steal valuable information of the targeted organization. In addition, CERTCC.IR has discovered a targeted attack that wipes files stored on the hard disks.

Overview of the Attack

 The infection occurs when user executes a self-extracting RAR file (Initial dropper) which installs additional malwares on to the victim’s machine.

This is a very simple attack.  The attacker has used the BAT files to perform the sequence of malicious activities. Some BAT2EXE conversion tool has been used to turn these BAT files in to executable files.

The malicious payload first checks for the date on the victim’s machine and if matched to the below listed dates (mm-dd-yyyy), it then waits for 50 minutes and starts wiping the files in the below mentioned logical drives.

List of drives checked:

  • D
  • E
  • F
  • G
  • H
  • I

This malware triggers the delete operation only on specific dates which could be triggered till the year 2015.

 

2012

2013

2014

2015

12-10-2012 01-21-2013 02-03-2014 02-02-2015
12-11-2012 01-22-2013 02-04-2014 02-03-2015
12-12-2012 01-23-2013 02-05-2014 02-04-2015
  05-06-2013 05-05-2014  
  05-07-2013 05-06-2014  
  05-08-2013 05-07-2014  
  07-22-2013 08-11-2014  
  07-23-2013 08-12-2014  
  07-24-2013 08-13-2014  
  11-11-2013    
  11-12-2013    
  11-13-2013    

 

In addition, this malware has the capability to delete files in %UserProfile%\Desktop location. Finally, it runs chkdsk on the above mentioned drives.

The intent of this malware remains quiet straight, our initial analysis shows that this malware has no connection to previous attacks such as Stuxnet, Skywiper and Gauss.  McAfee detects these malwares as “batchwiper” and  the initial dropper as “batchwiper.dr“.