Worms: September 2007 Archives

Sometimes we obtain files and they just sit there, doing nothing. Here's a case where we went back for a second look and lots of IRC activity eventually kicked into life. This particular infection takes place as follows:

1) The bad guys infect your PC with an initial infection link, dropping you into a Botnet.

http://blog.spywareguide.com/upload/2007/09/insidejtworm-thumb.jpg
Click to Enlarge

2) The Botnet is fired up periodically and they deposit a collection of Zipfiles (each containing more infections) onto your PC.

http://blog.spywareguide.com/upload/2007/09/zipstorage1-thumb.jpg
Click to Enlarge

3) Infection commands are then sent via IRC to tell the infected PC to send your contacts infection links to the Zipfiles stored in your Windows directory.

http://blog.spywareguide.com/upload/2007/09/msnjt_replacement-thumb.jpg
Click to Enlarge

Some of the infection messages include

"Look at my new dancing movie"

"Look at me doing the moonwalk!!"

"Look what I found, more nude pictures of Justin Timberlake!"

We detect this (naturally enough) as JT.Moonwalk.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Bubbles...For Kids!

| | Comments (1)

The discovery of the Bubbles worm has led to the discovery of more and more variants across the internet. While all have essentially the same methods of infection, not all simply block security programs. FSL has come across a variant of the Bubbles worm that is designed to steal any and all sensitive information from the victim's computer through the most devious method of all...keylogging!

It starts with an executable downloaded from a questionable website. This executable copies itself into the system32 directory of the victim PC, and these 4 files are copies of the main executable:

http://blog.spywareguide.com/upload/2007/09/hiddenfiles-thumb.PNG

Click to Enlarge

That's not all this worm does. It also looks for the game Runescape on the infected PC. Here's a screenshot taken from the main executable, pdo.exe:

http://blog.spywareguide.com/upload/2007/09/runescape-thumb.PNG

Click to Enlarge

For those not aware, Runescape is a MMO game whose target demographic is children, young teens, and teenagers in general. This worm is looking for not only "runescape", but a "RS PIN:" as well. Could this mean payment details? Or (more likely), could they be referring to the victim's PIN to their game bank? Whether its to simply loot your gold, or sell the PIN on illegal forums is unknown. That's not even the scariest part of this infection. It also logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll.

http://blog.spywareguide.com/upload/2007/09/syswinf-thumb.PNG

Click to Enlarge

Syswinf32.dll stores extremely sensitive information monitored from the infected PC.

The above picture is just a sample of what was found in the .dll file. It shows applications that have run, any action taken within the application, any text typed, and any websites visited. Now that it's effectively stealing every piece of information on the victim PC, it's time for the worm to spread to every Skype contact.

http://blog.spywareguide.com/upload/2007/09/skypemsg-thumb.PNG
Click to Enlarge

Now this worm starts looking familiar. This is the exact same behavior we observed in the original Bubbles worm. When you put it all together what do you get? You get a worm/keylogger that spreads through skype contacts and targets the teenagers that play Runescape. Combine that with the big juicy MAILTO: in the main executable file and you have yourself a wonderful recipe for potential identity theft.

Research Summary Write-Up: Chris Mannon, Senior Threat Researcher
Additional Research: Deepak Setty, Senior Threat Researcher

As mentioned on the Official Skype Blog, there is indeed a new worm in the wild - someone, somewhere came up with w32/Ramex.A as a name but I thought "Bubbles" was more appropriate, as you'll see.

Everything starts with a user downloading this file:

http://blog.spywareguide.com/upload/2007/09/skyper1-thumb.jpg
Click to Enlarge

Presented as an imagefile in the infection message, it's actually an .scr file - and no, that's not good.

skyper2.jpg


This file has been compressed to perfection:

http://blog.spywareguide.com/upload/2007/09/skyper6-thumb.jpg
Click to Enlarge

....yep, that's 2k infection file. Yet there's a whole lot of trouble in such a small package:

http://blog.spywareguide.com/upload/2007/09/skyper5-thumb.jpg
Click to Enlarge

...as you can see, the Worm tries to fool you into thinking someone really is on the other end by sending you what looks like fragments of a continuing conversation, finishing with a supposedly accidental sending of an image you're "not supposed to see".

Got to love that social engineering.

Here's a sample of some of the infection messages sent by the worm:

http://blog.spywareguide.com/upload/2007/09/skyper3-thumb.jpg
Click to Enlarge


But why did we call it "bubbles"? Easy, this is what you see when you attempt to open the .scr for the first time:

http://blog.spywareguide.com/upload/2007/09/skyper4-thumb.jpg
Click to Enlarge

Apparently, not everyone sees the bubbles when they run this file. I bet they really feel like they're missing out...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

About this Archive

This page is a archive of entries in the Worms category from September 2007.

Worms: October 2006 is the previous archive.

Worms: November 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.