Due to some confusion with this particularthreat, we’ve decided to provide some further details on the Orkut wormwe blogged on earlier in the week. The worm, recently renamed toW32.Scrapkut, uses active code injection as a vehicle to propagate tothe Orkut friends of its unfortunate victim.
Initially, a malicious scrap is posted to the victim’s scrapbook, containing a link to what appears to be a YouTube video:
When a victim clicks on the link, they are redirected to an externalsite which prompts them to download the file “flashx_player_9.8.0.exe”.For those who read Symantec’s Security Response Blog regularly, you mayrecognize the page in question:
My colleague Liam O’Murchu identified this in a previous blog, andthe page shown above matches word-for-word that of the page used by theW32.Imcontactspam worm. This may be yet another creation by the samepeople who brought us both W32.Imcontactspam and Infostealer.Bancos,however this has not been confirmed.
When executed, flashx_player_9.8.0.exe retrieves the fileswindosremote.exe, logservicess.exe and win32chekupdate.exe fromhttp://[REMOVED].ifastnet.com. These files download additional filesthat perform a variety of malicious actions, but logservicess.exe isthe main executable for further propagation. Logservicess.exe firstcopies itself as maindwxp.exe to four different locations on the systemto ensure it is executed on startup.
Maindwxp.exe then checks in with the command and control server viaa GET request with specific parameter values. Interestingly, the pagereturned simply contains the word “Rastreados” followed by a number. InPortuguese, “rastreados” means “crawled” - at last check the number was13559.
Social networking sites will continue to be an attractive target forattackers, as highly interactive sites can spread threats very quickly.Attackers will evolve their techniques to respond to increased securitymeasures, and we have seen a variety of threats exploiting the trustpeople have in their friends. It is yet another reminder to treatelectronic communications with care, no matter who it is from.