Hey, This Malware seems to be designed to make people FOOL and convey this after getting !nfected.
There are things which I like in this Malware 1. It doesn't randomly sends messages, it only targeted live Conversations. 2. Hiding itself by killing the Parent Process. 3. It used a rootkit driver to escape detecting 4.Also, replicates via USB Hope we need to learn Professional Programming by studying such kind of Malware Architectures. Regards, 0xN41K On May 12, 8:08 pm, Amar Deep <[email protected]> wrote: > HI, > > While both Yahoo! Messenger and MSN Messenger have been massively > exploited by IM worms, Skype users have been less exposed to this type of > e-threat. It's true that hyperlink-sending worms are hardly news in the > current malware landscape, and multiple variants affecting various IM > services are in the wild, but most of them are extremely easy to remove and > don’t come with an additional method of protection. Unlike average IM worms, > Backdoor.Tofsee features an extensive set of tricks to deter detection and > removal, as well as a wide assortment of ways to harm both the user and > their computer. > > The worm relies on social engineering to lure the user into downloading and > executing a copy of itself on the local machine. It looks for the system > locale settings (country, language and currency) in order to determine which > language to send its messages in. It can use English, Spanish, Italian, > Dutch, German, and French to send itself to either Skype or Yahoo! Messenger > contacts. The alleged conversations will always be different from the > previous messages and will be constantly updated from a remote location. > > Plus, in order to avoid suspicion, the worm will only send the message > during an on-going conversation, rather than randomly starting one-link > monologues. As the unwary user clicks on the infected link, they will be > redirected to a spoofed page impersonating Rapidshare. If the user continues > the download process by clicking the alleged Rapidshare download link, they > get a zipped archive called NewPhoto024.JPG.zip. Upon extraction, the > archive reveals an executable file with a deceptive name: > NewPhoto024.JPG_www.tinyfilehost.com. The file looks like a JPG, followed by > an URL. > > However, trailing .com is actually the file format revealing an MS-DOS > executable application. Once executed, the infected binary queries the > Windows Registry to see if either Skype or Yahoo Messenger is installed. If > neither application is to be found on the computer, the worm will exit > without infecting the system. If they are, the worm ensures that it is not > being analyzed in a virtual machine by checking the Performance Counter. > > Should the worm detect that it is running in a virtual machine or inside a > debugger, it automatically terminates itself, else it creates create a > suspended child process and subsequently inject the worm’s decrypted overlay > in it. After the successful injection, the child process is resumed and the > parent process kills itself. > > In order to hide itself from the operating system, the worm deploys its last > line of defense: a rootkit driver that conceals files, monitors the global > Internet activity originating from the infected machine and prevents access > to the URLs associated with antivirus vendors, online scanners, tech support > forums and, of course, Windows Update. As a novelty, the worm also denies > access to a certain number of high-profile download portals that might host > removal tools or antivirus utilities. > > After having successfully compromised the system, the worm adds itself to > the Startup key in the Windows Registry; it also deactivates the Windows > Firewall in order to breach the local security and to allow a remote > attacker to connect to the worm’s backdoor component. To make things worse, > the rootkit component also prevents the installation of any file known to be > an antivirus product. Backdoor.Tofsee identifies these files by their > filename, so renaming the blocked file should solve the issue. > > The worm’s spreading mechanism isn’t reduced to spamming itself via Skype > and YIM; it also copies itself on any attached USB storage devices it finds > by replicating its binary in a newly-created folder called ~secure and > creating an autorun.inf file to point to it. A secondary folder, called > Temp002 is also generated and a binary file infected with Trojan.Vaklik.AY > is planted inside it. All the created files have the archive, hidden and > system attributes set to 1 in order to conceal them from the Windows > Explorer shell. > > Backdoor.Tofsee is a high-risk piece of malware that allows a remote > attacker to take complete control over the infected machine and use it for > various illegal purposes. In order to stay safe, you are advised to install > and regularly update a complete antimalware solution with antispam, > antiphishing, antivirus and firewall modules. > > Author: Bogdan Botezatu, > BitDefender<http://www.malwarecity.com/blog/malware-alert-rootkit-based-skype-wor...>. > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group > athttp://groups.google.com/group/nforceit?hl=en-GB. -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
