Video Screencast Help
Security Response

The Orkut Worm – Digging Deeper

Created: 29 Feb 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:42:01 GMT
Silas Barnes's picture
0 0 Votes
Login to vote

Due to some confusion with this particularthreat, we’ve decided to provide some further details on the Orkut wormwe blogged on earlier in the week. The worm, recently renamed toW32.Scrapkut, uses active code injection as a vehicle to propagate tothe Orkut friends of its unfortunate victim.

Initially, a malicious scrap is posted to the victim’s scrapbook, containing a link to what appears to be a YouTube video:


When a victim clicks on the link, they are redirected to an externalsite which prompts them to download the file “flashx_player_9.8.0.exe”.For those who read Symantec’s Security Response Blog regularly, you mayrecognize the page in question:

My colleague Liam O’Murchu identified this in a previous blog, andthe page shown above matches word-for-word that of the page used by theW32.Imcontactspam worm. This may be yet another creation by the samepeople who brought us both W32.Imcontactspam and Infostealer.Bancos,however this has not been confirmed.

When executed, flashx_player_9.8.0.exe retrieves the fileswindosremote.exe, logservicess.exe and win32chekupdate.exe fromhttp://[REMOVED] These files download additional filesthat perform a variety of malicious actions, but logservicess.exe isthe main executable for further propagation. Logservicess.exe firstcopies itself as maindwxp.exe to four different locations on the systemto ensure it is executed on startup.

Maindwxp.exe then checks in with the command and control server viaa GET request with specific parameter values. Interestingly, the pagereturned simply contains the word “Rastreados” followed by a number. InPortuguese, “rastreados” means “crawled” - at last check the number was13559.

Maindwxp.exe then executes and begins checking for an active browserwindow, waiting for the victim to visit Orkut. Once the victim is in anauthenticated Orkut session, maindwxp.exe injects Javascript code intothe active Orkut web session. This Javascript code which is actuallybased on a popular Greasemonkey script is then executed within thecontext of the Orkut domain and the user’s authenticated session,resulting in the malicious scrapbook entry being sent to all thevictims’ friends, and the cycle begins again.

Social networking sites will continue to be an attractive target forattackers, as highly interactive sites can spread threats very quickly.Attackers will evolve their techniques to respond to increased securitymeasures, and we have seen a variety of threats exploiting the trustpeople have in their friends. It is yet another reminder to treatelectronic communications with care, no matter who it is from.