Brazilian MSN Worm Looks Familiar
Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?
The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.
When executed, the worm does the following:
- Minimizes the real MSN Messenger login window;
- Displays a fake Portuguese language MSN login screen;
- Records the username and password that is typed;
- Displays the real MSN Messenger login window (user must re-type password);
- Records the email address of all contacts, and;
- Sends a report including the username, password and a list of contacts of the infected user to the worms’ authors.
Below is an example of the type of email that the worm authors will receive. (Usario = Username and Senha = Password)
At the same time the worm also sends an email to all of the infectedusers contacts with the following details (abbreviated translation: “Afriend has sent you a card, to see it click on the link below”):
When the contact clicks on the link to view the greeting card theyare presented with a popup stating that “The latest version ofMacromedia Flash Player was not found, please, download and install it “
The contact is then presented with a fake Flash “Install now” page:
And finally the contact is presented with the payload:
This fake Flash update is in fact a copy of the worm. If the contactagrees to install the fake update, then the infection starts all overagain on that contact’s computer.
The worm also sends the following fake email which appears to be a phishing attack against cartoes24horas.com.br:
The links in the fake email actually point to cartorioS24horas.com,NOT the legitimate site cartorio24horas.com.br. It is difficult to sayexactly what the attackers were attempting to gain from this email asthe phishing site cartorios24horas.com is currently unavailable.[carties24horas.com.br are aware of these fake emails and have awarning to their users on their home page. ]
When analyzing this worm, it was obvious that this worm has many ofthe same characteristics of the Infostealer.Bancos samples that we seeso often. The most obvious shared trait is that they both target aBrazilian audience and that they are both written in the Delphilanguage.
Another point of interest is that, rather than using the real MSNwindow and recording the keystrokes (which most other worms would do),the worm’s author decided to display a fake MSN messenger windowinstead. This fake window is embedded in the executable as a jpg. Thismakes the executable quite large and also limits the functionality ofthe fake window. For example, the worm is unable handle if the infecteduser clicks on the file menu, so it displays a message box stating thatthe operation was not possible:
Almost all of the Infostelaer.Bancos family of Trojans have embeddedimages in them (meaning that the executable is also quite large), andthey display these images instead of the real bank Web site in asimilar way to this worm.
Another shared characteristic is that, more often than not, theInfostealer.Bancos Trojans also collect all the infected users contactsand send them to the attacker at an anonymous email address. This wormsends the addresses of all the infected users contacts (along with theusername and password of the infected user) to two Gmail accounts. [Theaccount details for both of these addresses have been passed to theabuse team at Gmail.]
Also, it is quite obvious that the creator of this worm is not avery skilled programmer. This is apparent from the use of a fake MSNwindow rather than the real one and because, during testing of theworm, the emails sent to all infected users’ contacts actuallycontained the infected users’ password in the FROM: field, instead ofthe username.
Lastly, the Infostealer.Bancos family are quickly recognizablebecause they usually use the .scr extension (for screensaver) insteadof the normal .exe extension.
Reviewing the details of the fake Flash update we saw above we seethat the file extension used is .scr and the file type is listed asScreen Saver.
Of course some of these attributes can also be found in otheramateur type viruses but the amount of similarities certainly causescomparisons to be drawn between the two threats.
Similarities between the two threats
We cannot be certain that this worm was created by the same peoplethat created the Infostealer.Bancos Trojans, but it certainly would notbe surprising to discover that both were written by the very same gang,and that the gang are expanding their operation to target more thanjust banking sites.