Dynamic worm wreaks havoc

A rather industrious worm has been detected by Trend Micro threat analysts, and it usually infects users who have been careless enough to click on a link offered in a variety of unsolicited emails.

The emails use various approaches. Sometimes it’s a “Document I told you about”. Other times it’s a “Free download of a sex movie” or a job application letter. In any case, the presented link points to the worm.

When executed, the worm does a whole bunch of things:

  • Terminates the running AV solution, and attempts to delete it
  • Creates registries that deactivate security alerts and secure desktop prompting
  • Tries to access users’ Yahoo! Messenger files (possibly trying to harvest Yahoo! Messenger IDs to send copies of itself)
  • Avails itself of the Messaging Application Protocol Interface to send out emails with a copy of itself (but can also spread itself via removable drives)
  • Connects to several malicious websites
  • Forces the sharing of some System folders as Updates

  • Downloads a backdoor.

The interesting thing is that Trend Micro has detected the packed version of this same worm a while back, so they speculate that the criminals behind this version have managed to get their hands on the original code and adjusted it to their needs.

Share this
You are reading

Dynamic worm wreaks havoc