Scrapkut Orkut Worm

Original issue date: March 7, 2008

It has been observed that a worm named Scrapkut targeting Orkut users is spreading widely. Orkut is a social networking site. The worm uses active code injection to propagate itself to Orkut friends of victim user.

A malicious scrap message is posted to victim’s scrapbook containing a fake link to YouTube video purporting to be from a known member of its friend list. When the victim clicks on the link, it redirected to some malicious website which prompts to download the file “flashx_player_9.8.0.exe” disguised as a Flash upgrade. Upon executing the malicious binary it downloads further binaries windosremote.exe, logservicess.exe and win32chekupdate.exe to perform malicious actions on victim system. The downloaded file logservicess.exe copies itself as maindwxp.exe to different locations to ensure its execution on every startup of infected system. When a user visits Orkut and starts a session from the infected system, maindwxp.exe injects Javascript code into the active Orkut web session and executes in context of the Orkut domain and user authenticated session. The execution of the binary results in malicious scrapbook entry in all victims’ friends.

Aliases: W32/Scrapkut-A [Sophos], W32.Scrapkut [Symantec]

• Remain cautious while visiting any link provided in Orkut Scraps.
• Keep up-to-date patches and fixes on the Operating System and Application Software.
• Keep up-to-date Antivirus and Antispyware signatures.
• Do not visit untrusted websites.

 Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003