Recently, I was in Singapore to give a number of talks on Spyware and Adware attacks. Interestingly, a number of people in the area Emailed me to let me know about something infecting their friends via MSN Messenger. As we investigated further, it did indeed seem to be based around the Singapore area (with a few mentions of it on Chinese forums, too). Here's a screenshot from a popular Singapore community forum:
...and here's a screenshot from a Chinese forum:
...note the Flag of Hong Kong in the bottom left hand corner. All the cases we've seen of this so far have been limited to the Singapore region, with a couple of individuals mentioning it on Hong Kong-centric forums. Of course, this doesn't mean there aren't other victims out there but the spread so far seems to be quite limited.
Check out this map -
There are many, many domains hosting the main Executable (dubbed "Singworm") pushed by the Instant Messaging infection link, the majority of which are hosted in Hong Kong and Taiwan. Yet another file (Winsys.exe) is downloaded from a number of different servers, one of which is apparently running out of Israel.
Variants of Winsys.exe have been known to be involved in various types of data theft, including login details, banking information and personal data.
The worm itself is mostly built for Spamming, with elements of the Stration Worm and other pieces of Malware thrown in for good measure.
It starts, as it always does, with the downloading and execution of a single file - in this case, rather oddly called "I.am.exe":
As soon as you run the file, the system attempts to start sending spam via the collection of files already deposited on the PC. At certain points in time, the amount of Spam the system was trying to send was so much that the testbox slowed down to a crawl and a reboot was needed. Here's a few of the files dropped into the System32 Folder:
At this point, if you have MSN Messenger the inevitable infection link will appear in the chat window of your contacts, which says "here are new smiles for MSN, they are incredible!":
....and of course, you'll send your infection link again.....and again.....and again.....
At this point, detection for most of the files involved in this on Virustotal.com is sketchy at best. We've notified MSN of this threat - in the meantime, if you're in the Singapore and Hong Kong regions, be aware of any strange links coming through from your colleagues...
Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: CC, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Senior Threat Researcher
Leave a comment