On June 7, 2010, Bkis’ honeypot discovered a new wave of attacks targeting Twitter - one of the most popular social networking sites in the world. Hackers fake as Twitter’s support team to distribute phishing emails related to “password theft”, a sensitive issue which most users would concern about.
The malicious link with virus is disguised as a genuine link to Twitter via some simple techniques of hacker. This cover prompts users to believe more in the email’s content. However, when users click this link, they click the malicious link with virus.
After the virus (detected as W32.TwittFake.Trojan by Bkav) is “accidentally” downloaded and run, it constantly popups the false notices about the system.
When users click the link, they will download a Fake AV, a type of virus phishing for profit, instead of a software fixing system.
After analyzing TwittFake Trojan, we find that this malware performs numerous dangerous actions:
- Copies itself as file "mscdexnt.exe" to folder %Temp%
- Dumps the following files: %Temp% / kernel64xp.dll; %Temp% / wscsvc32.exe
- Writes key to run virus’ file when any .exe file is activated.
- Writes keys to disable “Task Manager” feature of Windows
- Installs backdoor to receive and execute hacker’s commands.
- Periodically popups false notices about system, and when users click the links, virus will be automatically downloaded and FakeAV is installed.
- Downloads FakeAV and malicious codes from the following links:
- http:// find[removed]id.org/any/139-direct.ex
It can be said that this is a carefully planned scenario which aims to trick users and get their money. In fact, such scenarios appear rather effective because users have not taken due caution with the information they receive from the Internet. Once again, we recommend users to carefully check the source of the information received before opening and updating the latest version of antivirus software on their computers.