Home | Press | Contact da en
Heimdal
Heimdal Security protects against
banker trojan malware.
Press Contact

Peter Kruse
Partner & Security Specialist
pkr@csis.dk
PGP Key ID: 0x49006F37

News
2011-11-29 11:09:08 |

Yesterday, CSIS discovered a new worm that spreads through the social network, Facebook.

A classic worm is causing system infection and is logging in as the specific user, while it spams messages to friends and acquaintances.

The message consists solely of a link e.g. (space inserted by CSIS):
http://www.offi sense.co.il / lang / images.php? facebook image =... 2119

By clicking this link, the user can then be lured into opening what might seem to be a screensaver (see screenshot below), and malicious code is dropped to the system.




The code is developed in Visual Basic 6.0 and contains numerous Anti-VM tricks directed against VMware, Sandboxie, Virtual Box, etc.

The malicious code is then downloaded (space inserted by CSIS):
http://www.offi sense.co.il / lang / b.exe

The following file is then attempted copied to the system:
c: users [% user profile%] m-1-52-5782-8752-5245winsvc.exe

The worm carries a cocktail of malware onto the machine, including a Zbot/ZeuS
variant which is a serious threat and steals sensitive information from the
infected machine.

The worm has already captured a large number of domains from which it
spreads actively (space inserted by CSIS):

 

http://www.vinam ost.net
http://www.ferry .coza
http://www.maxim ilian-adam.com
http://www.bacol odhouseandlot.com/
http://www.servi ceuwant.com
http://www.centr alimoveisbonitoms.com.br
http://www.werea d.in.th
http://www.villa matildabb.com
http://www.fiona gh-bennet-music.co.uk
http://www.uksei katsu.com
http://www.bzoe- salzkammergut.at
http://www.delic escolres.com
http://www.dekie viten.nl

The different compromised servers also serve another purpose. They collect data about the infected machines, while simultaneously offering the additional
malware. Content from a server might look as follows:

Index of /images

Parent Directory
GeoIP.dat
PIC96477.JPG.scr
b.exe
count.txt
f.exe
geoip.inc
images.php
util.php

The many malicious domains are of course already blocked in the CSIS Secure DNS.

According to Virustotal, the malicious code obtains the following insufficient virus detection:

Antivirus Version Last Update Result
AhnLab-V3 2011.11.28.00 2011.11.28 -
AntiVir 7.11.18.107 2011.11.28 -
Antiy-AVL 2.0.3.7 2011.11.28 -
Avast 6.0.1289.0 2011.11.28 -
AVG 10.0.0.1190 2011.11.28 -
BitDefender 7.2 2011.11.28 -
ByteHero 1.0.0.1 2011.11.14 -
CAT-QuickHeal 12.00 2011.11.28 -
ClamAV 0.97.3.0 2011.11.28 -
Commtouch 5.3.2.6 2011.11.28 -
Comodo 10791 2011.11.27 -
DrWeb 5.0.2.03300 2011.11.28 Win32.HLLW.Autoruner.52856
Emsisoft 5.1.0.11 2011.11.28 -
eSafe 7.0.17.0 2011.11.28 -
eTrust-Vet 37.0.9590 2011.11.28 -
F-Prot 4.6.5.141 2011.11.28 -
F-Secure 9.0.16440.0 2011.11.28 -
Fortinet 4.3.370.0 2011.11.27 -
GData 22 2011.11.28 -
Ikarus T3.1.1.109.0 2011.11.28 -
Jiangmin 13.0.900 2011.11.28 -
K7AntiVirus 9.119.5542 2011.11.25 -
Kaspersky 9.0.0.837 2011.11.28 HEUR:Trojan.Win32.Generic
McAfee 5.400.0.1158 2011.11.28 -
McAfee-GW-Edition 2010.1D 2011.11.28 -
Microsoft 1.7801 2011.11.28 -
NOD32 6666 2011.11.28 -
Norman 6.07.13 2011.11.28 -
nProtect 2011-11-28.02 2011.11.28 -
Panda 10.0.3.5 2011.11.27 -
PCTools 8.0.0.5 2011.11.28 -
Prevx 3.0 2011.11.28 -
Rising 23.86.00.01 2011.11.28 -
Sophos 4.71.0 2011.11.28 -
SUPERAntiSpyware 4.40.0.1006 2011.11.26 -
Symantec 20111.2.0.82 2011.11.28 -
TheHacker 6.7.0.1.350 2011.11.27 -
TrendMicro 9.500.0.1008 2011.11.28 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.28 -
VBA32 3.12.16.4 2011.11.28 -
VIPRE 11170 2011.11.28 -
ViRobot 2011.11.28.4797 2011.11.28 -
VirusBuster 14.1.88.0 2011.11.28 -