Researchers from the Danish security firm CSIS, have intercepted a currently spreading Facebook worm. The worm spreads by sending direct messages using the privileges of the already logged in user. The message looks like an image file, whereas in reality it has an executable .scr screensaver extension. Upon execution, the sample drops a ZeuS crimeware variant on the infected host. The malware is hosted on compromised web servers across the globe.
The sample — very limited detection rate — is currently detected as Win32.HLLW.Autoruner.52856 and Heure: Trojan.Win32.Generic. CSIS has now discovered a new worm that spreads through the social network, Facebook. This is a classic worm is by infection of a system while logging in as that user, while the spammer messages to friends and acquaintances. The message consists solely of a link instance (space hospitalized by CSIS): https://www.offi sense.co.il / lang / images.php? facebook image =... 2119 If this link clicked and the user can then be enticed to open what might seem to be a screensaver (see screenshot below), which then drops malicious code on the system. The code is developed in Visual Basic 6.0 and contains numerous anti-VM tricks directed against VMware, Sandboxie, Virtual Box, etc. The malicious code downloaded then (space hospitalized by CSIS): https://www.offi sense.co.il / lang / b.exe Whereupon the following file is attempted copied to the system: c: users [% user profile%] m-1-52-5782-8752-5245winsvc.exe The worm carries a cocktail of malware onto your machine, including a Zbot / ZeuS variant which is a serious threat and stealing sensitive information from the infected machine.
The worm has already captured a large number of domains from which it spreads active (space hospitalized by CSIS): https://www.vinam ost.net https://www.ferry. coza https://www.maxim ilian-adam.com https://www.bacol odhouseandlot.com / https://www.servi ceuwant.com https://www.centr alimoveisbonitoms.com.br https://www.werea d.in.th https://www.villa matildabb.com https://www.fiona gh-Bennett-music.co.uk https://www.uksei katsu.com https://www.bzoe- salzkammergut.at https://www.delic escolres.com https://www.dekie viten.nl The different compromised servers also serves another purpose. They collect data about the infected machines, while simultaneously offering the additional malware. Content from a server might look as follows: Index of / images Parent Directory GeoIP.dat PIC96477.JPG.scr b.exe count.txt f.exe geoip.inc images.php util.php The many malicious domains are of course already blocked in the CSIS Secure DNS .
The malicious code obtains the result Virustotal following deficient virus detection: Antivirus Version Last Update Result AhnLab-V3 2011.11.28.00 28/11/2011 - AntiVir 126.96.36.199 28/11/2011 - Antiy-AVL 188.8.131.52 11.28.2011 - Avast 6.0.1289.0 28/11/2011 - AVG 10.0.0.1190 28/11/2011 - BitDefender 7.2 11.28.2011 - ByteHero 184.108.40.206 14.11.2011 - CAT-QuickHeal 12.00 28/11/2011 - ClamAV 28/11/2011 0.97.3.0 - Commtouch 220.127.116.11 28.11.2011 - Comodo 10791 11/27/2011 - DrWeb 5.0.2.03300 28.11.2011 Win32.HLLW.Autoruner.52856 Emsisoft 18.104.22.168 28.11.2011 - eSafe 22.214.171.124 28.11.2011 - eTrust-Vet 37.0.9590 11.28.2011 - F-Prot 126.96.36.199 11.28.2011 - F-Secure 9.0.16440.0 11/28/2011 - Fortinet 4.3.370.0 11.27.2011 - GData 22 11/28/2011 - Ikarus T188.8.131.52.0 28/11/2011 - Jiangmin 13.0.900 28.11.2011 - K7AntiVirus 9119.5542 2011 .11.25 - Kaspersky 184.108.40.2067 28/11/2011 Heure: Trojan.Win32.Generic McAfee 5.400.0.1158 28/11/2011 - McAfee-GW-Edition 2010.1D 11/28/2011 - Microsoft 1.7801 11.28.2011 - NOD32 6666 28/11/2011 - Norman 6:07:13 11/28/2011 - nProtect 2011-11-28.02 11/28/2011 - Panda 10.0.3.5 11.27.2011 - PCTools 220.127.116.11 11.28.2011 - Prevx 3.0 11/28/2011 - Rising 23.86.00.01 11/28/2011 - Sophos 4.71.0 28.11.2011 - SUPERAntiSpyware 18.104.22.1686 26/11/2011 - Symantec 2022.214.171.124 28/11/2011 - TheHacker 126.96.36.199.350 27/11/2011 - TrendMicro 9.500.0.1008 11/28/2011 - Trend Micro HouseCall 9.500.0.1008 11/28/2011 - VBA32 188.8.131.52 28/11/2011 - VIPRE 11170 11/28/2011 - ViRobot 2011.11.28.4797 11/28/2011 - VirusBuster 184.108.40.206 11/28/2011
We enjoy helping our customers each and every day.