Today we came across a file that sends infection links via Skype, the latest in a long line of Stration / Warezov variants to do such a thing.
However, this one does a few things we've not seen before from this kind of file. Yes, it's a Stration variant and so will attempt to steal your Email as standard. What's unusual here is the amount of files it drops, and (more creepily) the message that gets sent. I'm not too sure how well news of the disappearance of Madeleine McCann has spread across the Atlantic, but here in Europe (and a few other places) the news continues to rage on with an endless stream of sightings and theories.
So as someone based in the UK, and confronted with the latest developments in this case every day via TV, radio and the Internet, the following random message with its very specific wording generated a really strange resonance for me:
To me, this is attempting to play into the heightened sense of "a stranger on every street corner" in a very deliberate fashion. Obviously it's not a direct reference to the McCann case, but the intention of playing upon the current media frenzy regarding the safety of children and / or females in general is clear. Of course, the file being pushed is an executable named "Photo" to further the social engineering bid:
It's worth noting (aside from the rather distasteful spam message) that the payload is a lot bigger than what we've typically seen from these sort of installs in the past (there's a fair amount of CPU drain while the install takes place, too). Here's what you'll find in your System32 Folder:
And here's what you'll see in your Windows directory if you take a look around:
Some of the files dropped seem to be a little random - again, previous Skype hijacks of this nature that we've seen tend to install the same thing almost every single time.
Part of this infection searches all files with the following extensions looking for e-mail information to steal:
- .adb
- .asp
- .cfg
- .cgi
- .dbx
- .dhtm
- .eml
- .htm
- .html
- .jsp
- .mbx
- .mdx
- .mht
- .mmf
- .msg
- .nch
- .ods
- .oft
- .php
- .pl
- .sht
- .shtm
- .stm
- .tbb
- .txt
- .uin
- .wab
- .wsh
- .xls
- .xml
You might want to block all of the following (if you don't already have them on your ban list, that is):
78.106.123.40
217.75.214.4
79.196.245.234
78.106.123.40
qeruikipoikinfandes.com
217.75.214.4
xasedriwasderios.com
kadesuitungenfunhansde.com
If you're interested, you can see a little more on the Warezov gang URLs here at the F-Secure blog.
The obvious advice here is to try and resist any and all seemingly well intentioned messages sent out of the blue via Skype. We detect this as Is4GRL.
Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Leave a comment