Fake Twitter spam – Merond Worm (Oct 2, 2009)
SonicWALL UTM Research team observed a new Merond worm variant being spammed in the wild via fake Twitter invitation e-mail messages. The e-mail message looks like below:
Sender: invitations@twitter.com [Spoofed sender address]
Subject: Your friend invited you to twitter!
Attachment: Invitation Card.zip [ Contains document.doc (spaces) .exe ]
The malicious executable inside the attachment is the new mass-mailing worm variant and the file looks like:
A sample e-mail message is shown below:
The worm when executed performs following activities on victim machine:
- Injects a malicious executable into multiple system files on the victim machine some of which are listed below:
- (System Folder)attrib.exe
- (System Folder)bootcfg.exe
- (System Folder)calc.exe
- (System Folder)chkdsk.exe
- Determines the IP address of the victim machine by sending a GET request to whatismyip.com
- Emails copy of itself to the e-mail addresses harvested from the victim machine
- Collects and sends back sensitive information from the victim machine to the predetermined IP address on port 65520. A sample encrypted packet is shown below:
- Downloads rogueware applications on victim machine.
This malware is also known as TR/Buzus.caro [AntiVir], Worm:Win32/Prolaco.gen!C [Microsoft], and Worm:W32/Prolaco.D [F-Secure].
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Merond.V (Worm) signature.
