Instant Messenging: August 2007 Archives

Recently, I was in Singapore to give a number of talks on Spyware and Adware attacks. Interestingly, a number of people in the area Emailed me to let me know about something infecting their friends via MSN Messenger. As we investigated further, it did indeed seem to be based around the Singapore area (with a few mentions of it on Chinese forums, too). Here's a screenshot from a popular Singapore community forum:

http://blog.spywareguide.com/upload/2007/08/singworm4-thumb.jpg
Click to Enlarge

...and here's a screenshot from a Chinese forum:

http://blog.spywareguide.com/upload/2007/08/singworm5-thumb.jpg
Click to Enlarge

...note the Flag of Hong Kong in the bottom left hand corner. All the cases we've seen of this so far have been limited to the Singapore region, with a couple of individuals mentioning it on Hong Kong-centric forums. Of course, this doesn't mean there aren't other victims out there but the spread so far seems to be quite limited.

Check out this map -

singworm8.jpg

There are many, many domains hosting the main Executable (dubbed "Singworm") pushed by the Instant Messaging infection link, the majority of which are hosted in Hong Kong and Taiwan. Yet another file (Winsys.exe) is downloaded from a number of different servers, one of which is apparently running out of Israel.

winsysexefile.GIF

Variants of Winsys.exe have been known to be involved in various types of data theft, including login details, banking information and personal data.

The worm itself is mostly built for Spamming, with elements of the Stration Worm and other pieces of Malware thrown in for good measure.

It starts, as it always does, with the downloading and execution of a single file - in this case, rather oddly called "I.am.exe":

http://blog.spywareguide.com/upload/2007/08/singworm1-thumb.jpg
Click to Enlarge

As soon as you run the file, the system attempts to start sending spam via the collection of files already deposited on the PC. At certain points in time, the amount of Spam the system was trying to send was so much that the testbox slowed down to a crawl and a reboot was needed. Here's a few of the files dropped into the System32 Folder:

http://blog.spywareguide.com/upload/2007/08/singworm2-thumb.jpg
Click to Enlarge

At this point, if you have MSN Messenger the inevitable infection link will appear in the chat window of your contacts, which says "here are new smiles for MSN, they are incredible!":

http://blog.spywareguide.com/upload/2007/08/singworm6-thumb.jpg
Click to Enlarge

....and of course, you'll send your infection link again.....and again.....and again.....

http://blog.spywareguide.com/upload/2007/08/singworm7-thumb.jpg
Click to Enlarge

At this point, detection for most of the files involved in this on Virustotal.com is sketchy at best. We've notified MSN of this threat - in the meantime, if you're in the Singapore and Hong Kong regions, be aware of any strange links coming through from your colleagues...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: CC, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Senior Threat Researcher

Pages

About this Archive

This page is a archive of entries in the Instant Messenging category from August 2007.

Instant Messenging: July 2007 is the previous archive.

Instant Messenging: September 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.