Virus Alerts -Panda Security’s weekly report on viruses and intruders - 09-12-08
September 2008 by Panda
This week’s PandaLabs report describes the YTFakeCreator program, the Trj/PHilto.A Trojan and the W32/MSNBot.D worm.
YTFakeCreator is a program that allows cyber-crooks to create spoof YouTube videos aimed at infecting users with malware. Potential victims receive an email promoting a video supposedly containing sensational content (erotic images of celebrities, death of famous people, etc.) and invite users to click a link to the video. This technique is known as social engineering.
If they take the bait, users will be directed to a spoof YouTube page (image at: http://www.flickr.com/photos/panda_security/2840011688/), and will see an error message explaining that the video cannot be loaded until a certain component is downloaded (a codec, an Adobe Flash update, etc.). They will be prompted to download it. However if they do this, they will actually be downloading some type of malware onto their computers.
YTFakeCreator makes it easy to create these spoof YouTube pages; customizing the error message text and the time it takes to appear. It also allows cyber-crooks to insert the link to the malware to be downloaded onto users’ computers, and even to create a false YouTube profile to enhance the realism of the page. And all of this can be done with just a single program (image: http://www.flickr.com/photos/panda_security/2839993538/).
The malicious code distributed through these spoof pages can be chosen by the person creating the page: Viruses, worms, adware, Trojans…
Trj/PHilto.A is an executable file that displays a video with adult content. It has an icon with an image of Paris Hilton, which when clicked displays a screen prompting users to download and view the video.
If users choose the option to view the video, two new windows appear on the screen and the system connects to a web page to download the components needed (codecs) to view the video.
A randomly-named, 303104-byte executable is downloaded, detected as Adware/NaviPromo.
The W32/MSNBot.D.worm is a Messenger bot designed to steal data (usernames, passwords, addresses…) which could then be used fraudulently.
The file has an MSN Messenger icon in order to confuse users. When the file is run the process goes resident on the system, and the MSN Messenger process is continually injected in the system’s services, with the obvious intention of waiting to capture data from the computer and then distribute it.
The file makes a copy of itself in C:\Windows and adds a registry entry in order to run on every system startup and to continue stealing data from the computer.
This malware is normally distributed via email to contacts it captures in Messenger.
Finally, it creates a .txt in C:\Windows to compile and save the stolen data.