BannerPortlet

Blogs

As Bkis predicted in the previous blog entry Emails from Santa, virus distributors have taken action in this Christmas season.

On November 28, 2009, Bkis honeypot has collected multiple malicious emails which fake Coca cola's promotion campaign on occasion of Christmas.

XmasCo1

The email generates an attractive message: “Play our fantastic new online game for your chance to WIN a trip to the Bahamas and get all Coca Cola drinks for free in the rest of your life. See the attachment for details” to trick users into opening the attached file.

When users run this attached file, their computers will be infected with a backdoor. The hacker then is able to take remote control over the victim's machine as well as steal important data.

Below is the detailed analysis of this Worm:

  • Name: W32.XmasCo.Worm
  • Family: W32.XmasCo.Worm
  • Type: Worm
  • Discovered: November 28, 2009
  • Size: 439Kb
  • Severity: high

Risks:

  • Reduces system security level.
  • Installs backdoor.

Symptoms:

  • Registry is modified.
  • The following window is popped up:

XmasCo2

Infection methods:

  • Via websites.
  • Via emails.

Preventions:

  • Do not visit websites which provide software crack, hacking technique and websites with erotic content.
  • Do not open unknown attached files, particularly files with .exe .com .pif and .bat extensions.

Technical details:

  • Writes the following values:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}]

    StubPath = "%SystemDir%\qnx.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    Wind River Systems = "%SystemDir%\vxworks.exe"

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

    QnX = "%SystemDir%\qnx.exe"

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

    QnX = "%SystemDir%\qnx.exe"

    to activate virus on Window's start-up.

  • Copies itself as file named "vxworks.exe" to the directory %SystemDir%
  • Dumps the following file "%SystemDir%\qnx.exe"
  • Opens the following gates: 1051, 1070, 1085 and 1086 to receive hacker's commands.
  • Connects to the following servers to load malicious codes to the affected machine:

    63.249.1.40 25

    63.249.1.41 25

    70.87.6.99 25

    84.17.190.210 25

    72.233.89.197 80

  • Automatically sends massive emails to the addresses found on the affected machines with noreply@coca-cola.com as the sender's address.

Analyst: Nguyen Cong Cuong

Leave a Reply

Name (required)
Mail (hidden) (required)
Website
Text to Identify
Reload-Capcha
CAPTCHA Code *

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet

Categories

Store Portlet

Archives

Vote Baby Portlet