2 min read

Fear of Piracy Opens Door to Virus-Infected Worm

Loredana BOTEZATU

November 15, 2011

Fear of Piracy Opens Door to Virus-Infected Worm

Ever thought about going cheap on software rather than purchasing a legit copy? Let’s put it this way. Would you rather install a crack coming from the underbelly of the web than buy a copy of Microsoft Office? Many have made this mistake.

The latest trend in piracy guest-stars the classical worm with a twist: get a software crack, run it, then let the worm that comes with it wreak havoc on your PC. You know this scenario, but, there is even more to this story.

A piece of malicious code written in Visual Basic, identified by Bitdefender as Win32.Worm.Coidung.B, spreads via Yahoo Messenger pretending to be an Office Genuine Advantage checker, called “office_genuine.exe”. This file has been used by computer owners to check if their Microsoft Office applications were legit, but the tool got deprecated in December 2010, when Microsoft retired the OGA program.

However, the name of the file usually associated with a legit tool is enough to trick the user into downloading and executing the worm on their computers. Along with the worm another uninvited guest, a file infector known by the name of Win32.Virtob, also reaches the victim’s system. It is currently unknown if the Virtob code has been planted inside the worm with a specific purpose in mind or if it got there as a result of a natural infection, but one thing is sure: the worm travels with a dark passenger.

The worm operates fast, disables the Windows Firewall and opens a backdoor to allow a remote attacker to access and control the compromised computer. The end purposes may very well vary from data theft to DoS attacks, or any other illegal usages for a computer that has a remote access Trojan planted on it.

Coidung makes copies of itself hiding them in several system folders under various names. Afterwards, it makes modifications in Registry so all these copies are initialized at start up. In the meantime the worm sees that none of the copies are deleted, deactivated or removed from startup.

Aside from the damage inflicted by the worm, the user’s system must also face the attack coming from the polymorphic virus with backdoor behavior. Virtob attached itself to the worm to be “transported” to different locations, a tactic used by pieces of malware to enhance their own spreading functions.

The virus is known to avoid emulators and virtual machines. It infects ASP, HTM and PHP scripts (the most common file formats for web applications) while waiting for the attacker’s commands to download from further malware and execute it on the computer.

This approach is not new. Four or five years ago, right after Microsoft launched the controversial Windows Genuine Advantage Validation Notification program, another malware pretended to be a Windows genuine tool as well. We know by now that old tricks are habitually recycled by crooks – and with good results. In 2006 and 2007, the malware (Cuebot-K) pretended to be Microsoft Windows Genuine Advantage and spread via AOL instant messenger.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender VirusAnalyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read