Twitter, Google and Hi5 being abused in Prolaco worm distribution
February 10, 2010 2 Comments
Twitter, Google and the social networking site Hi5 are being abused in an email campaign to distribute the Prolaco worm. The campaigns have the following characteristics. Note that the email addresses are spoofed.
The malware is known as Worm.Win32.Prolaco.gen (Sunbelt), Worm:Win32/Prolaco.gen!C (Microsoft) and Worm.Win32.Prolaco (Ikarus).
From: <invitations@twitter.com>
Subject: Your friend invited you to twitter!
Attachment: Invitation Card.zip (approx 348 kB)
Body of the email:
In this campaign, Twitter is being used to get the attachment clicked upon. The email instructs you to open the attachment to see who invited you on Twitter.
From: <resume-thanks@google.com>
Subject: Thank you from Google!
Attachment: CV-20100120-112.zip (approx 348 kB)
Body of the email:
Google is thanking you for the resume that you send to them for an open position. To review your submitted application you should open the attachment, according to the instructions in the email.
Hi5
From: <invitations@hi5.com>
Subject: Jessica would like to be your friend on hi5!
Attachment: Invitation Card.zip (approx 348 kB)
Body of the email:
The social network Hi5 has been used in previous campaigns and also in phishing campaigns. This time you are invited to connect to Jessica and she has attached her invitation card for you to open.
Be aware, that when you connect to a person on Hi5, or want to follow a person on Twitter, you never have to download and install a piece of software, in these cases malware. All actions are done through their web sites so do not attempt to open the attachments in similar future campaigns.
About Prolaco:
Prolaco will create the following files on your system:
%AppData%\SystemProc\lsass.exe
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
%System%\GoogleUpdater.exe
The following directories are created:
%AppData%\SystemProc
%ProgramFiles%\Mozilla Firefox
%ProgramFiles%\Mozilla Firefox\extensions
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content
The following services are modified:
ERSvc Error Reporting Service
“Stopped” %System%\svchost.exe -k netsvcs
wscsvc Security Center
“Stopped” %System%\svchost.exe -k netsvcs
The trojan will modify the Windows registry and can make UDP connections over port 1069 and 1070.
27 out of the 41 AV engines detect the Prolaco worm at the time of writing this article.
Virus Total permlink and MD5: c0464909947c92c07f5a91f9d675f03d
I’ve gotten all three of these messages EXACTLY as described here within 2 days of each other. Thankfully, I didn’t open the attachments.
Our school system uses Novell Groupwise as our email client. I don’t know what filtering software we have but this worm is currently getting through.
Thanks for posting this. It makes it much easier to share wtih tech support.
TODOY SOMEONE STOLE MY ACCOUNTS WHAT CAN I DO TO RECOVER THIS ONE? PLEASE ANSWER TO MY YAHOO E MAIL. THANX IN FOWARD