Skip navigation.
Home

New twitter worm

|

hello,
Today while I was on twitter i found one suspicious link to an exe file which was saying like

"Kristen Stewart from twilight new moon Nude pics! http://www.mediafire.com/?m…"

i downloaded it n checked in virustotal, so 2 detections were there. Then i installed it in my virtual machine.
it is installing lots of legitimate files.
I think dotnet framework is needed for the working of this malware. coz it was downloading dotnet framework, and after the installation of this dotnet framework, one new process came up, and the name was alg.exe,

I have included 3 links to the downloaded malwares, can anybody analize it and tell me what does it do.

I have reported it in my website.
http://obscurant1st.biz/blog/newmoon-worm-in-twitter-kristen-stewart

the links are:
alg - http://www.offensivecomputing.net/?q=ocsearch&ocq=2dba3c3d70b8bcc0356e58c971243ac0
Kristen_Stewart.exe - http://www.offensivecomputing.net/?q=ocsearch&ocq=0b10fba0977c9b04e2dcb9f63fca8e93
irsetup.exe - http://www.offensivecomputing.net/?q=ocsearch&ocq=76da2c7c124183acf74251db2a336a79

in this Kristen_Stewart.exe is the malware which was available through the twitter link.

New Twitter Worm

A quick look at the version info on the ALG.EXE file shows a company name called SornSoft. I don't know if it would be proper to include the link but I used a search engine to find an organization with that name. The site seems pretty hokey, and offers several "marketing" software tools for a fee, including some kind of binder and even a downloader. It also links to another firm that offers a kind of dropper that will hijack someone's browser.

New Twitter Worm - Additional info

I followed a link from the SornSoft website to another one which I think would be safe to give out here since it is obviously malicious. Check it out: kuzler.com

Sandbox Analyzed

Sorry this is a bit late...

Changes to filesystem:
* Creates file C:\ErrLog.txt (Contains Installer Log for Malware)
* Creates file C:\Program Files\Common Files\alg.exe
- MD5: 2dba3c3d70b8bcc0356e58c971243ac0
- Filesize: 33889 bytes

Network Findings:
* Port 1049 UDP was opened.
* Established connection to 72.29.77.243

Changes to registry:
* Deletes value "AppId" in key HKEY_LOCAL_MACHINE\software\classes\clsid\{ceff45ee-c862-41de-aee2-a022c81eda92}
* Deletes Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{DBC80044-A445-435B-BC74-9C25C1C588A9}
* Modifies value "Name=dw20.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication
* Modifies value "ID=4889DC4E" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication

Additional Information:
http://www.aurellosoft.org/site/index.php/threat-information-mainmenu-26/14-viruses/85-w32twizzle.html