Twitter, Google and Hi5 being abused in Prolaco worm distribution
February 10, 2010 2 Comments
Twitter, Google and the social networking site Hi5 are being abused in an email campaign to distribute the Prolaco worm. The campaigns have the following characteristics. Note that the email addresses are spoofed.
The malware is known as Worm.Win32.Prolaco.gen (Sunbelt), Worm:Win32/Prolaco.gen!C (Microsoft) and Worm.Win32.Prolaco (Ikarus).
From: <invitations@twitter.com>
Subject: Your friend invited you to twitter!
Attachment: Invitation Card.zip (approx 348 kB)
Body of the email:
In this campaign, Twitter is being used to get the attachment clicked upon. The email instructs you to open the attachment to see who invited you on Twitter.
From: <resume-thanks@google.com>
Subject: Thank you from Google!
Attachment: CV-20100120-112.zip (approx 348 kB)
Body of the email:
Google is thanking you for the resume that you send to them for an open position. To review your submitted application you should open the attachment, according to the instructions in the email.
Hi5
From: <invitations@hi5.com>
Subject: Jessica would like to be your friend on hi5!
Attachment: Invitation Card.zip (approx 348 kB)
Body of the email:
The social network Hi5 has been used in previous campaigns and also in phishing campaigns. This time you are invited to connect to Jessica and she has attached her invitation card for you to open.
Be aware, that when you connect to a person on Hi5, or want to follow a person on Twitter, you never have to download and install a piece of software, in these cases malware. All actions are done through their web sites so do not attempt to open the attachments in similar future campaigns.
About Prolaco:
Prolaco will create the following files on your system:
%AppData%\SystemProc\lsass.exe
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
%System%\GoogleUpdater.exe
The following directories are created:
%AppData%\SystemProc
%ProgramFiles%\Mozilla Firefox
%ProgramFiles%\Mozilla Firefox\extensions
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content
The following services are modified:
ERSvc Error Reporting Service
“Stopped” %System%\svchost.exe -k netsvcs
wscsvc Security Center
“Stopped” %System%\svchost.exe -k netsvcs
The trojan will modify the Windows registry and can make UDP connections over port 1069 and 1070.
27 out of the 41 AV engines detect the Prolaco worm at the time of writing this article.
Virus Total permlink and MD5: c0464909947c92c07f5a91f9d675f03d
