Thursday, September 20, 2007 1:45 PM cmosby

WORM_SOHANAD spreads via Yahoo Messenger (YM) - TrendLabs | Malware Blog

 

WORM_SOHANAD spreads via Yahoo Messenger (YM)

September 20th, 2007 by Carolyn Guevarra (Technical Marketing)

Today, Senior Anti-Threat Researcher Loucif Kharouni, reported of a YM message that is currently spreading in the wild. It was written in English and contained a link regarding some pictures from the Iraq War. The link was found to be malicious. Here is a screenshot of what is being received:
yahoo_spam0.jpg
Once you copy-paste the link into an Internet Explorer browser and try to access the site …:
virii.JPG
…you are redirected and the link becomes completely different. This is because once you try to access the picture, it redirects you to a malicious Web site, http://72.{BLOCKED}.170/~plobble/smail/lists/etc/index.php.
virri2.JPG
Once this happens, the malicious routine starts. It modifies your YM status into a message containing a malicious link. It also sends out to each of your YM contacts the following messages and malicious links:
yahoo_spam4.jpg
Once installed and running on your system, it drops worm files and their components, creates processes, and prevents your system from running antivirus and security programs. Trend Micro detects the dropped files as WORM_SOHANAD.DC and WORM_SOHANAD.DJ. It also drops a copy of itself in the Windows startup folder so that it can run every time Windows restarts. It accesses the following Web sites, probably to download more malicious files:

  • http://72.{BLOCKED}.170/~plobble/smail/lists/etc/worm2007.exe
  • http://72.{BLOCKED}.170/~plobble/smail/lists/etc/worm2007.exe
  • http://72.{BLOCKED}.170/~plobble/smail/lists/etc/YMworm.exe
As shown in the network capture of the infection below, you can see the request to download the file YMworm.exe ( WORM_SOHANAD.DC) from the malicious website:
cap2.JPG
Users are advised to be wary of the said IM messages and not to click on links sent via YM, even if it comes from somone you know. Chances are, you might be already downloading WORM_SOHANAD into your computers. Data provided by Loucif Kharouni, Senior Anti-Threat Researcher (Trend Micro EMEA)

Source: WORM_SOHANAD spreads via Yahoo Messenger (YM) - TrendLabs | Malware Blog - by Trend Micro

Filed under: , ,

Comments

No Comments