23 June 2007 05:13 GMT
Multi-lingual IM messages, Bittorrent-seeding, bot-harvesting and dumb irony
With so much malware following similar templates, W32/Impard-A has some functionality that is mildly noteworthy.
It’s controlled by a remote user over IRC, and is capable of sending itself via AIM and MSN, storing itself as a file called IMG009.jpg-www.imagehosting.com inside a zip file called C:\RECYCLER\myphoto.zip, and then sending this zip with a message that promises pictures, written in the same language as the infected computer. This sort of social engineering tries to maximise the chance that recipients will believe it to be legitimate and open the attachment, though this is shot in the foot somewhat by the fact that many of the the phrases have been cut off abruptly.
French computers will send one of the following messages:
- he regard a ma nouvelle image :D
- voulez-vous voir une nouvelle image de moi?
- j’ai recemment trouve une vieille image de moi, je la trouverai et l’enverrai :D
- ca va, regard a la nouvelle photo que j
German computers however pick from this list:
- Blick auf das neue foto, das ich
- he wie geht es Ihnen? meine neue
- ich ein fotoalbum, sollte bilde ich dieses addieren?
- hallo, diese Akte, es annehmen ist fur mein fotoalbum
Spanish computers have a longer list, though a bug in the code means only one of the first 4 will ever get picked:
- hola como eres? comprobar si tienes gusto de mi nuevo cuadro :D
- yo has estado juntando un album de foto, tienes gusto de este cuadro?
- como eres que hace, comprobar hacia fuera este cuadro de mi :D
- Haha.. comprobar hacia fuera mi nuevo cuadro
- a verificacao para fora este retrato que novo eu fiz exame apenas, mim emitir-lheo-a
- como meu retrato novo? :D
- mim tenho feito meu album de foto, devo eu adicionar este retrato?
- se voce nao for ocupado, verificar para fora este retrato novo :D
- hahaha olhar este retrato novo de mim
Italian computers use the following list:
- guardare la mia nuova immagine haha
- lo pensate dovreste aggiungere questa immagine al mio album di foto?
- ciao desiderare vedermi un’immagine?
- come siete, guardare questa nuova immagine di me
And for everybody else, a message is picked from the English list:
- hey check out this photo, dunno if i should add to my alb, lemme send to you
- wanna see this pic of me? :D sec
- hey wanna see this pic of me?
- just took a new pic of me, lemme
- hahaha check out this pic ull die
As well as this IM functionality, this worm may be instructed by a remote user over IRC to seed itself into Bittorrent. If bittorrent.exe is found running on the computer, a torrent is initiated at a chosen location and then W32/Impard-A quickly minimizes the Bittorrent application.
Another feature of the worm is its ability to harvest other bots - it scans through each running process and looks for signs that it might be a bot. If any catch its attention, it first attempts to terminate that process, then to send the file over IRC to its own controller, and finally to delete it. This clean-up isn’t for altruistic reasons, but sees the author staking the infected computer as his territory, while also sending himself the offending bot to add to his own personal arsenal.
The author of this worm seems to have difficulties during its development though, according to postings he made on the internet. It would appear that he was confused when his worm kept increasing in size, in the end realising that he’d managed to infect himself with a particularly nasty memory-resident virus that was repeatedly attacking his shiny new malware. Somewhat ironic - I don’t think many will be shedding a tear for him.
Richard Cohen, SophosLabs Canada
