Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« How To Rickroll A Browser | Main | JT.Moonwalk Dances Onto An MSN Client Near You »

  • Bubbles...For Kids!

The discovery of the Bubbles worm has led to the discovery of more and more variants across the internet. While all have essentially the same methods of infection, not all simply block security programs. FSL has come across a variant of the Bubbles worm that is designed to steal any and all sensitive information from the victim's computer through the most devious method of all...keylogging!

It starts with an executable downloaded from a questionable website. This executable copies itself into the system32 directory of the victim PC, and these 4 files are copies of the main executable:

http://blog.spywareguide.com/upload/2007/09/hiddenfiles-thumb.PNG

Click to Enlarge

That's not all this worm does. It also looks for the game Runescape on the infected PC. Here's a screenshot taken from the main executable, pdo.exe:

http://blog.spywareguide.com/upload/2007/09/runescape-thumb.PNG

Click to Enlarge

For those not aware, Runescape is a MMO game whose target demographic is children, young teens, and teenagers in general. This worm is looking for not only "runescape", but a "RS PIN:" as well. Could this mean payment details? Or (more likely), could they be referring to the victim's PIN to their game bank? Whether its to simply loot your gold, or sell the PIN on illegal forums is unknown. That's not even the scariest part of this infection. It also logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll.

http://blog.spywareguide.com/upload/2007/09/syswinf-thumb.PNG

Click to Enlarge

Syswinf32.dll stores extremely sensitive information monitored from the infected PC.

The above picture is just a sample of what was found in the .dll file. It shows applications that have run, any action taken within the application, any text typed, and any websites visited. Now that it's effectively stealing every piece of information on the victim PC, it's time for the worm to spread to every Skype contact.

http://blog.spywareguide.com/upload/2007/09/skypemsg-thumb.PNG
Click to Enlarge

Now this worm starts looking familiar. This is the exact same behavior we observed in the original Bubbles worm. When you put it all together what do you get? You get a worm/keylogger that spreads through skype contacts and targets the teenagers that play Runescape. Combine that with the big juicy MAILTO: in the main executable file and you have yourself a wonderful recipe for potential identity theft.

Research Summary Write-Up: Chris Mannon, Senior Threat Researcher
Additional Research: Deepak Setty, Senior Threat Researcher

  • TrackBack

TrackBack URL for this entry:
http://blog.spywareguide.com/mt/mt-tb.cgi/215

Listed below are links to weblogs that reference Bubbles...For Kids!:

» content home insurance from content home insurance
epoch disabling wronged soothing!ennoble [Read More]

» Incest sex. from Group sex.
Creampie sex. Sex positions. Free sex stories. Sex. Free sex movies. [Read More]


  • Comments

What the hell? Runescape? ofall games runscape? that gamescrap asit is with out people robbing you when you play!


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.