Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Possible new Twitter worm InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Possible new Twitter worm

Published: 2011-01-20
Last Updated: 2011-01-20 16:41:39 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
2 comment(s)

Looks like there is a new twitter worm out there. There are an increased number of messages like the following ones:

 Tweet SCAM

Those short URL points to the servers providing the malware. The following are some of the malicious URL I could gather (CAREFUL: THEY ARE STILL ACTIVE):

  • http://cainnoventa.it/m28sx.html
  • http://servizialcittadino.it/m28sx.html
  • http://aimos.fr/m28sx.html
  • http://lowcostcoiffure.fr/m28sx.html
  • http://s15248477.onlinehome-server.info/m28sx.html
  • http://www.waseetstore.com/m28sx.html
  • http://www.gemini.ee/m28sx.html

After clicking to the URL, you are sent to a faveAV web page:

The malware downloaded is named pack.exe, md5 264ebccca76bdb89f4ae9519c4cd267e, sha1 d16573ce7ce7710865b34bc1abeef699c20549ed. 2 of 43 AV from virustotal detect it as SecurityShieldFraud as of january 20 2011 16:19:58 UTC.

When the malware infects the machine, it copies itself to C:\Documents and Settings\<your username>\Local Settings\Application Data\mbcjmhny.exe, ensures that cmd.exe exists, kill the malware, deletes the downloaded malware and starts it again from the location it copied itself with the following instruction:

"C:\WINDOWS\system32\cmd.exe" /c taskkill /f /pid 1576 & ping -n 3 127.1 & del /f /q "C:\pack.exe" & start C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\mbcjmhny.exe -f

We will keep analyzing the malware and post an update with more information.

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

Keywords: twitter worm
2 comment(s)
Diary Archives