Social network Hi5 subject to malware campaign

September 9, 2009 Leave a Comment

The social network Hi5, a place where you can connect to your fiends, is target of a malware distribution campaign. MX Lab intercepted emails with the subject ”Jessica would like to be your friend on hi5!” with an attachment named Invitation Card.zip that includes the archived file attachment.pdf_[many _spaces]___.exe.

The From address is invitations@hi5.com but this is spoofed. The body of the email looks quite genuine and coming from Hi5. If you receive such a message, namely a request to connect from a so called friend, there is normally no file of 244 kB attached to the email.

The trojan is known as Win32:Rootkit-gen (Avast), W32/Autorun-AQL (Sophos), GData (Backdoor.Bot.103388) or VirTool:Win32/Injector.gen!AH (Microsoft).

the trojan has the threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

There are stealth-mode characteristics common to Rootkits and the option to communicate with SMTP engines to send out emails.

The trojan will create the files %System%\javaa.exe, %System%\jushred.exe and %System%\sdra64.exe on an infected system and the processes jushred.exe and javaa.exe will be running.

The hidden files %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll and a hidden folder %System%\lowsec are created.

The system services ERSvc (Error Reporting Service) and wscsvc (Security Center) will be stopped and various registry edits will be performed.

The trojan can connect to remote resources on ports 43, 80, 1033 and 1035 and a connection with msnnews.webhop.org will be created.

The built-in SMTP engine will send emails for the distribution of the trojan towards other victims:

From: invitations@hi5.com
Subject: Jessica would like to be your friend on hi5!
Attachment: Invitation Card.zip

From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order 254-78546325-658742
Attachment: Shipping documents.zip (334,919 bytes)

From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment: Postcard.zip (334,919 bytes)

VirusTotal permlink and MD5: 4df3cf28fae7b5b02b2d9f4e03b4dbbd.

Filed under Viruses Tagged with , , ,

Make sure your WordPress installation is up to date

September 9, 2009 Leave a Comment

Maybe interesting reading for users who have their own WordPress installation older than version 2.8.4.

“The newly discovered worm is pretty sneaky to say the least. In a nutshell, it crawls the web looking for vulnerable WordPress installations, makes itself an administrator account, takes full control of the website and posts malware and spam to it. It’s also been reported that it will sometimes disable Defensio and other anti-spam plugins. It can be very hard to detect the new malicious administrator user since it hides itself from the users list using Javascript.”

Read the full story.

Filed under Malware, Various Tagged with , , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers