Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
Recent Posts
Monthly Blog Archives
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Pipeline Worm Floods AIM with Botnet Drones | Main | Twisted Pair at Network World Talk Pipeline Worm »

  • IM Worm Attack Cloaked in Virtual Card Hoax- W32Heartworm.A

The Net has a long history of hoaxes and many of the "best" seem to involve dire warnings of virus attacks that simply don't exist. Whether you're being asked to delete teddy bears or avoiding the gaze of the all seeing eye, there's a rich history out there that bad guys could have some fun with. Well, sure enough, some hackers seemingly decided to create a kind of potted history of online web hoaxes, and tie it into an actual infection. There's an MSN network instant messenging infection currently on the prowl that has a little fun at the good guy's expense, and toys with the notion of making a Net urban legend come to life. How is this done? Well, it's fairly subtle and not everyone would appreciate the rather warped humour. Assuming someone on your contact list has been infected, you'll see a message similar to the below appear on your screen:

Click to Enlarge

Click the link, and you're taken to the below website:


Click to Enlarge

Download and run the file on offer and (as you might expect) a bunch of nasty files are deposited onto your computer. Most of the files seem to be related to a certain strain of banking trojan particularly popular in Brazil - in fact, they're not too different from the files used in the Orkut Worm we discovered. Okay, I hear you cry - it attempts to steal confidential data. Show us something new, already.

Well, here we go.

You run an infection file, and generally one of two things happens:

1) Lots of notable stuff splatters across your desktop in the form of toolbars, popups and strange flashing banners.

2) An absence of anything notable happens on your desktop, which is probably an even worse scenario.

Here, however, you see....this:

Click to Enlarge

...confused yet?

Allow me to explain. Rewind back to the infection site - it speaks of a "virtual card for you". Examine the URL the strange heart-picture comes from - Quatrocantos, a well known site dedicated to exposing online web hoaxes. That's right - the bad guys pop open an image from the good guys' hoax-hunting website (using up their bandwidth in the process), where the image refers to a "fake" virtual card hoax...and tying it into a real virtual card exploit.

As a final twist, the Quatrocantos website has a featured article on one other virtual card hoax, which stretches back to the year 2000. The title of that hoax?

A virtual card for you.

I asked Wayne Porter, Senior Director of Special Research (a new division I can't comment on) for his opinions given his background studying memetic engineering. "This is a cultural camouflage approach which we call "hoax cloaking". It is a defensive construct that adopts the very lore, memes and culture of the Internet to serve as a self-preservation and cloaking mechanism, much like the advanced construction of a "media virus".

For example, a natural response from a user might be to Google "A Virtual Card For You" to see if the card is an exploit or safe. At the moment Google, a trusted search engine, returns results from respected and trusted security companies like Sophos, Symantec, Mcafee, Trend Micro, and F-Secure all warning this is a hoax and the rest of the sites are very well known and trusted hoax busting sites. The criminal taps into three layers of trust using a hoax which is pretty sophisticated behavior and pretty rarely seen. You can see some more information on the press release here.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Supplemental Research: Wayne Porter, Senior Director Special Research

  • TrackBack

Listed below are links to weblogs that reference IM Worm Attack Cloaked in Virtual Card Hoax- W32Heartworm.A:

» Twisted Pair at Network World Talk Pipeline Worm from The SpywareGuide Greynets Blog
Remember the modular Pipeline Worm the Facetime Security Labs Team uncovered recently? The W32.Pipeline Worm, which hit right before the really strange MSN HeartWorm.a...Thanks to the guys Twisted Pair at Network for the mention of the menace. They als... [Read More]

  • Comments

you left the URL in the last pic, becareful

The picture of the heart is served up by a site that tackles online hoaxes, and is perfectly safe. That's why we didn't remove the URL.

Memetic engineering? Who remembers the ILoveYou worm in the Spring of 2000? It was a beautifully written piece of VBScript (this non-programmer was able to understand each step in the code), packaged up into a message with the most powerful phrase known to man.

It did a helluva lot of damage in the wild, and it was not a happy time to be in a tech support role during this period and Y2K...

And all this at the beginning of the dot-com-bomb

help,req knowledge for heartworm

OK, I know a lot about this heartworm worm/hoax. But I have an Infected Computer on my network (more than 250 PCs). Luckely I discovered right away and prevented to spread in my company, I removed it from my domain.
I've being surfin the entire we (inglish and spanish sites) looking for a removal tool or actions, and still cant find anything.
So Please if someone knows something please email me. kokodrilito@yahoo.com

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.