HOME > VIRUS ALERTS


VIRUS ALERTS

Bancorkut Worm

Original issue date: April 08, 2008

It has been observed that a mass mailing worm named Bancorkut is spreading widely.It spreads when a user clicks upon the malicious link embedded within the email message body.

The worm collects the confidential information such as username and passwords from the infected system and some websites to send the collected information to a remote server under attacker's control. These credentials are further used for performing illegal banking activities.

The worm downloads certain files to the infected system from remote server. These files contain content of email which is then sent to the email addresses collected by the worm from the locations such as:

  • Contact list in MSN Messenger
  • Files with extensions .dbx, .wab, .mbx, .eml
  • Social networking Web site
    www.orkut.com

Typical e-mail contents are as follows :

           From: Orkut Seu Profile foi Denunciado
           Subject: empty
           Body:
           Motivo:
           Você está infectado(a) por algum Malware/Vírus.
           Seu perfil está enviando mensagens ilí [REMOVED] rá            apagado.
           Orkut.com (c) 2008 - Google.com.br e seus fornecedores.            Todos os direitos reservados.

Upon execution, the Worm :

  • Creates the file %Windir%\avgsh.exe
  • Creates the following registry entries to ensure its execution on every system startup:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run\"AVGShield"="%Windir%\avgsh.exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run\"MSMSGS" = "%Program Files%\
      Messenger\msmsgs.exe /background"
  • Searches for email addresses in files with the following extensions:
    .dbx, .wab, .mbx, .eml
  • Attempts to steal email addresses from the contact list in MSN Messenger.
  • Attempts to steal email addresses from the user account of the following social networking Web site:
    www DOT orkut DOT com
  • It also attempts to steal user passwords from the following Web site:
    www DOT terra DOT com
  • Sends the gathered information to the following locations:
    • [http://]maejoana DOT byethost13 DOT com
  • It may then download files from the following locations on to the compromised computer:
    • [http://]feliznatal DOT rbcmail DOT ru
  • Downloads potentially malicious files from the following locations on to the compromised computer:
    • [http://]74 DOT 254 DOT 144 DOT 200
    • [http://]www DOt ecologia-domestica DOT org
    • [http://]outthegarage DOT com
    • http://]www DOT baixa DOT la

In view of rapid propagation of the Bancorkut Worm, users are advised to implement the following countermeasures:

  • Do not click upon the links provided in untrusted email messages.
  • Block access to the malicious domains mentioned above at gateway.
  • Search for the malicious files and processes created/initiated by Bancorkut Worm and delete the same.
  • Search for the registry entries, made by the Bancorkut Worm as mentioned and delete the same.
  • Enforce password policy to make it difficult to crack password files on compromised computers
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.

 References

http://www.symantec.com/business/security_response/
writeup.jsp?docid=2008-032608-3206-99&tabid=2

http://www.esecurityplanet.com/alerts/article.php/3736681

http://www.precisesecurity.com/threats/w32bancorkutmm/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003