Twitter, Google and Hi5 being abused in Prolaco worm distribution

February 10, 2010 by mxlab 2 Comments

Twitter, Google and the social networking site Hi5 are being abused in an email campaign to distribute the Prolaco worm. The campaigns have the following characteristics. Note that the email addresses are spoofed.

The malware is known as Worm.Win32.Prolaco.gen (Sunbelt), Worm:Win32/Prolaco.gen!C (Microsoft) and Worm.Win32.Prolaco (Ikarus).

Twitter

From: <invitations@twitter.com>
Subject: Your friend invited you to twitter!

Attachment: Invitation Card.zip (approx 348 kB)

Body of the email:

In this campaign, Twitter is being used to get the attachment clicked upon. The email instructs you to open the attachment to see who invited you on Twitter.

Google

From: <resume-thanks@google.com>
Subject: Thank you from Google!

Attachment: CV-20100120-112.zip (approx 348 kB)

Body of the email:

Google is thanking you for the resume that you send to them for an open position. To review your submitted application you should open the attachment, according to the instructions in the email.

Hi5

From: <invitations@hi5.com>
Subject: Jessica would like to be your friend on hi5!

Attachment: Invitation Card.zip (approx 348 kB)

Body of the email:

The social network Hi5 has been used in previous campaigns and also in phishing campaigns. This time you are invited to connect to Jessica and she has attached her invitation card for you to open.

Be aware, that when you connect to a person on Hi5, or want to follow a person on Twitter, you never have to download and install a piece of software, in these cases malware. All actions are done through their web sites so do not attempt to open the attachments in similar future campaigns.

About Prolaco:

Prolaco will create the following files on your system:

%AppData%\SystemProc\lsass.exe
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
%System%\GoogleUpdater.exe

The following directories are created:

%AppData%\SystemProc
%ProgramFiles%\Mozilla Firefox
%ProgramFiles%\Mozilla Firefox\extensions
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content

The following services are modified:

ERSvc Error Reporting Service
“Stopped” %System%\svchost.exe -k netsvcs

wscsvc Security Center
“Stopped” %System%\svchost.exe -k netsvcs

The trojan will modify the Windows registry and can make UDP connections over port 1069 and 1070.

27 out of the 41 AV engines detect the Prolaco worm at the time of writing this article.

Virus Total permlink and MD5: c0464909947c92c07f5a91f9d675f03d

Filed under Viruses Tagged with , , , ,

Twitter accounts abused by spammers

November 18, 2009 by mxlab 1 Comment

MX Lab detected a spam campaign where Twitter is being abused by spammers to promote online drug stores.

The campaign is sent from random spoofed email addresses and has similar subjects like:

7U1 An amazing selection of brand name medications, all for incredibly low prices!
2F9 Looking for Hytrin? 7N8
6W3 Looking for Abilify?
5Z2 Looking for Fosamax?
4G5 Do you suffer from male impotence? Order Viagra online today 8I7
5Y5 Do you have a urinary blockage?

Some samples of the body:

hxxp://twitter.com/oscaresquire/status/5804523982

All Medications are Always 100% Safe Legal
Our store is Verified, Trusted Licensed
Guaranteed LowPrices – up to 85% Off

! G6Y3

* P h 3nt_ er mI.ne 37.5
* S0 .m@
* X@ /\/ a .X
* R1 .T@ L in
* C 0 d1n3
* V /\ L 1Um
* KL 0 N_0.p in
* AMB1en
* Ci..@ _Lis
* V| @ g.R @

www.twitter.com/dweepadvani/status/5790731913
This message was sent to 96190

And another one

site that pharmacies and big companies don’t want you to know about!
Vicodin ES Online, Hyrdrocodone, Lortab…

hxxp://twitter.com/itaiba/status/5803131461

They all have the URL in common that points to a Twitter account. The format is  http://twitter.com/***/status/*** where *** stands for random characters.

Some examples of such an Twitter account that directs you to the online pharmacy.

The med4udirect.com shop looks like this:

The domain appears to registered in China.

 DomainName : MEDS4UDIRECT.COM

RSP: China Springboard Inc.
URL: http://www.namerich.cn      

Name Server :NS3.BERTOSNS.COM
Name Server :NS5.LOVELYSNB34.COM
Name Server :NS1.HDNSSTUFF.COM
Name Server :NS6.LOVELYSNB34.COM
Name Server :NS2.HDNSSTUFF.COM
Name Server :NS4.BERTOSNS.COM
Status :clientTransferProhibited
Status :clientDeleteProhibited
Creation  Date :2009-09-26
Expiration Date :2010-09-26
Last Update  Date :2009-11-11

Registrant ID :V-X-63521-21717
Registrant Name :LU TAO
Registrant Organization :LU TAO
Registrant Address :JIEFANGLU251
Registrant City :ShangHai
Registrant Province/State :ShangHai
Registrant Country Code :CN
Registrant Postal Code :200126
Registrant Phone Number :+86.0217415426
Registrant Fax :+86.0217415426
Registrant Email :djsnhe@163.com

Administrative ID :V-X-63521-21717
Administrative Name :LU TAO
Administrative Organization :LU TAO
Administrative Address :JIEFANGLU251
Administrative City :ShangHai
Administrative Province/State :ShangHai
Administrative Country Code :CN
Administrative Postal Code :200126
Administrative Phone Number :+86.0217415426
Administrative Fax :+86.0217415426
Administrative Email :djsnhe@163.com

Billing ID :V-X-63521-21717
Billing Name :LU TAO
Billing Organization :LU TAO
Billing Address :JIEFANGLU251
Billing City :ShangHai
Billing Province/State :ShangHai
Billing Country Code :CN
Billing Postal Code :200126
Billing Phone Number :+86.0217415426
Billing Fax :+86.0217415426
Billing Email :djsnhe@163.com

Technical ID :V-X-63521-21717
Technical Name :LU TAO
Technical Organization :LU TAO
Technical Address :JIEFANGLU251
Technical City :ShangHai
Technical Province/State :ShangHai
Technical Country Code :CN
Technical Postal Code :200126
Technical Phone Number :+86.0217415426
Technical Fax :+86.0217415426
Technical Email :djsnhe@163.com

Filed under Spam Tagged with , , ,

MX Lab on Twitter

October 23, 2009 by mxlab Leave a Comment

Follow the MX Lab tweets on Twitter at http://twitter.com/mxlab/. Stay up to date with the latest news regarding email security in general.

Filed under Various Tagged with ,

Social networks like Twitter also target for spammers

May 8, 2008 by mxlab Leave a Comment

Popular social networks are facing a difficult time to stop spammers from abusing their networks. Twitter, a micro-blogging network site where you can publish text updates via SMS, instant messaging, email, Twitter’s website and third party applications, is one of the many.

They recently started to blacklist people who spam other members and are posting these results on the Twitter Blacklist. At this time they already have 378 blacklisted members on this web site and it’s growing.

 

Filed under Spam, Various Tagged with , ,