Singworm Spreading in Singapore / Hong Kong Via MSN Messenger

| | Comments (0)

Recently, I was in Singapore to give a number of talks on Spyware and Adware attacks. Interestingly, a number of people in the area Emailed me to let me know about something infecting their friends via MSN Messenger. As we investigated further, it did indeed seem to be based around the Singapore area (with a few mentions of it on Chinese forums, too). Here's a screenshot from a popular Singapore community forum:

http://blog.spywareguide.com/upload/2007/08/singworm4-thumb.jpg
Click to Enlarge

...and here's a screenshot from a Chinese forum:

http://blog.spywareguide.com/upload/2007/08/singworm5-thumb.jpg
Click to Enlarge

...note the Flag of Hong Kong in the bottom left hand corner. All the cases we've seen of this so far have been limited to the Singapore region, with a couple of individuals mentioning it on Hong Kong-centric forums. Of course, this doesn't mean there aren't other victims out there but the spread so far seems to be quite limited.

Check out this map -

singworm8.jpg

There are many, many domains hosting the main Executable (dubbed "Singworm") pushed by the Instant Messaging infection link, the majority of which are hosted in Hong Kong and Taiwan. Yet another file (Winsys.exe) is downloaded from a number of different servers, one of which is apparently running out of Israel.

winsysexefile.GIF

Variants of Winsys.exe have been known to be involved in various types of data theft, including login details, banking information and personal data.

The worm itself is mostly built for Spamming, with elements of the Stration Worm and other pieces of Malware thrown in for good measure.

It starts, as it always does, with the downloading and execution of a single file - in this case, rather oddly called "I.am.exe":

http://blog.spywareguide.com/upload/2007/08/singworm1-thumb.jpg
Click to Enlarge

As soon as you run the file, the system attempts to start sending spam via the collection of files already deposited on the PC. At certain points in time, the amount of Spam the system was trying to send was so much that the testbox slowed down to a crawl and a reboot was needed. Here's a few of the files dropped into the System32 Folder:

http://blog.spywareguide.com/upload/2007/08/singworm2-thumb.jpg
Click to Enlarge

At this point, if you have MSN Messenger the inevitable infection link will appear in the chat window of your contacts, which says "here are new smiles for MSN, they are incredible!":

http://blog.spywareguide.com/upload/2007/08/singworm6-thumb.jpg
Click to Enlarge

....and of course, you'll send your infection link again.....and again.....and again.....

http://blog.spywareguide.com/upload/2007/08/singworm7-thumb.jpg
Click to Enlarge

At this point, detection for most of the files involved in this on Virustotal.com is sketchy at best. We've notified MSN of this threat - in the meantime, if you're in the Singapore and Hong Kong regions, be aware of any strange links coming through from your colleagues...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: CC, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Senior Threat Researcher

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on August 30, 2007 8:12 AM.

Hanging at the Hawker Stall was the previous entry in this blog.

Compromised Emails Lead To IE Exploiter Tool is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.