Possible new Twitter worm
by Manuel Humberto Santander Pelaez (Version: 1)
Looks like there is a new twitter worm out there. There are an increased number of messages like the following ones:
Those short URL points to the servers providing the malware. The following are some of the malicious URL I could gather (CAREFUL: THEY ARE STILL ACTIVE):
- http://cainnoventa.it/m28sx.html
- http://servizialcittadino.it/m28sx.html
- http://aimos.fr/m28sx.html
- http://lowcostcoiffure.fr/m28sx.html
- http://s15248477.onlinehome-server.info/m28sx.html
- http://www.waseetstore.com/m28sx.html
- http://www.gemini.ee/m28sx.html
After clicking to the URL, you are sent to a faveAV web page:
The malware downloaded is named pack.exe, md5 264ebccca76bdb89f4ae9519c4cd267e, sha1 d16573ce7ce7710865b34bc1abeef699c20549ed. 2 of 43 AV from virustotal detect it as SecurityShieldFraud as of january 20 2011 16:19:58 UTC.
When the malware infects the machine, it copies itself to C:\Documents and Settings\<your username>\Local Settings\Application Data\mbcjmhny.exe, ensures that cmd.exe exists, kill the malware, deletes the downloaded malware and starts it again from the location it copied itself with the following instruction:
"C:\WINDOWS\system32\cmd.exe" /c taskkill /f /pid 1576 & ping -n 3 127.1 & del /f /q "C:\pack.exe" & start C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\mbcjmhny.exe -f
We will keep analyzing the malware and post an update with more information.
-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org
Comments
GET /cb_soft.php?q=***&uu=0
Host: 91.193.195.19
GET /buy.php?q=***
Host: 194.28.113.25
GET /js/jquery=1.3.2.js
Host: 194.28.113.25
Darkfiber
Jan 20th 2011
1 decade ago
- http://www.pcworld.com/article/217308/twitter_targeted_with_fake_antivirus_software_scam.html
Jan 21, 2011 "... Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that 'we're working to remove the malware links and reset passwords on compromised accounts.' 'Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?' she wrote. 'That's malware. Don't install'..."
.
PC.Tech
Jan 21st 2011
1 decade ago