26 Sep Pinch pinched Nikita
12 Apr LdPinch...again. Yury
06 Mar LdPinch again spammed via ICQ Yury
17 Aug Monikey or: the continuing evolution of Bagle Yury
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
We regularly see Trojans being sent via IM. There's a whole range of approaches used, from standard messages saying 'Hey, take a look at my photos' or links which purportedly lead to useful utilities, to social engineering which plays on people's fears:
[Translation: Look what's been written about you here]
Of course, the pages linked to are stuffed with exploits which are used to turn the victim machine into a malware menagerie.
There's nothing new in these mailings. But today we got another example of a mailing that's been going on for the last three weeks or so – every day, millions of ICQ users are being sent the following message:
[Translation: A new unofficial add-on to the well-known QIP client has been released_www.qip.ru
The add-on includes options such as:
*hide/ fake your number
*hide/ fake your primary email
*eavesdrop on other users (requires qip 8020 or higher)
*check user status
*view user's contact list (requires paid plug-in enquiries to UIN# ****016)
*qip 8000 or higher can be downloaded from _www.qip.ru
*Windows 2000/2003/XP (Vista not supported)
Unpack the archive, launch the Install file remaining files should be located
in the folder together with install.
Download: _http://slil.ru/248### (656 kb)
Although the link does change, sometimes the same link gets sent twice in one day – it depends how quickly antivirus companies react to the latest malware that's placed on the link. If the user is incautious or uninformed enough to click on the link, his or her machine ends up infected with a variant of the ever popular Trojan-PSW.Win32.LdPinch.
We took a look at all the different variants that have been downloaded, and discovered that:
Pinch is a true omnivore – it grabs just about everything it can from the victim machine: the Windows license number, system information, a list of programs installed, as well as ICQ, email and FTP passwords, and passwords saved to Windows Protected Storage.
On the most productive days, the person behind the mass mailings managed to collect up to a hundred logs. And his e-store has a whole bunch of ICQ numbers for sale, presumably stolen from victim machines. He's clearly out to make money – given that malware writers have made the shift from simple disruption to clearly criminal activity, that's no surprise. However, what he maybe doesn't realize is that a careful analysis of Pinch leads to a wealth of information about the author - name, date of birth, town, mobile number and various other personal data.
Good news for those fighting cyber crime, but not so great for those involved in illegal activity.
Over the last few days new variants of Trojan-PSW.Win32.LdPinch have been spreading actively on the Russian internet. This Trojan has been mass mailed, and also spreads via ICQ. Email and ICQ messages may be from unknown users (usually a woman), or from users on your contact list.
There’s nothing really new here. New variants are included in the antivirus database updates we release every hour. So why are we writing about it?
The answer’s simple: lots of users have been careless enough to launch the attachment which contains the Trojan, or to click on the link in the ICQ message which leads to the Trojan. And then, as its name indicates, LdPinch steals passwords from the victim machine.
If you’re one of these users, to prevent any further damage you should:
Over the weekend, we intercepted Trojan-PSW.Win32.LdPinch.ahe - the latest variant of LdPinch.
This malicious program sends itself to everyone on the victim's ICQ contact list. It sends a Russian message which says:
[translation] How to trick WebMoney!
To find out how, read the Help instructions!
The message includes a link to the malicious program file, which is called Help.chm.
We've recently detected a third modification of Email-Worm.Win32.Monikey. It might seem that there's nothing interesting about it - it spreads as an email with the subject heading «Îòêðûòêà ñ POSTCARD.RU» [A Card from POSTCARD.RU]. The body of the message contains what seems to be a link to POSTCARD.RU, but it's actually a link to a compromised site - if the user visits this site, malicious programs will be downloaded onto his/her computer.
In itself, this isn't very interesting. But our interest was piqued by the fact that Monikey incorporates modifications of Trojan-PSW.Win32.Vipgsm and Trojan-PSW.Win32.LdPinch.
Why is this interesting? Well, it's yet more confirmation of our suspicions that LdPinch, Bagle, Monikey and Vipgsm are created by one and the same group of virus writers. (We wrote earlier about LdPinch and Bagle being written by the same group.) Until now, we weren't sure that Monikey and Vipgsm were created by the same people - it was just a suspicion. Monikey contains code which is almost identical to some of Bagle's code, but until now we thought that Monikey was simply based on Bagle's source code, which is probably out there somewhere on the Internet.
The fact that nearly all the embedded malicious programs are encrypted using Trojan-PSW.Win32.LdPinch's “proprietary” algorithm seems to confirm our theory. And it's noteworthy that the latest version of Monikey appeared at the same time that the Bagle authors returned to 'work' after their summer vacations.
All of the above reinforces our suspicions that it's the same people behind a number of families of malicious programs. It also confirms our prediction that the authors of Bagle would start using new approaches and technologies.
All the malicious programs have been deleted from the compromised sites, and a lot of sites have published information and apologies, stating that they did not initiate any mass mailing. However, it's still not clear how these sites were accessed - this might have been done using passwords which were stolen using a program similar to LdPinch.
All these malicious programs have been added to Kaspersky Anti-Virus database updates.