Skip navigation.

New twitter worm


Today while I was on twitter i found one suspicious link to an exe file which was saying like

"Kristen Stewart from twilight new moon Nude pics!…"

i downloaded it n checked in virustotal, so 2 detections were there. Then i installed it in my virtual machine.
it is installing lots of legitimate files.
I think dotnet framework is needed for the working of this malware. coz it was downloading dotnet framework, and after the installation of this dotnet framework, one new process came up, and the name was alg.exe,

I have included 3 links to the downloaded malwares, can anybody analize it and tell me what does it do.

I have reported it in my website.

the links are:
alg -
Kristen_Stewart.exe -
irsetup.exe -

in this Kristen_Stewart.exe is the malware which was available through the twitter link.

New Twitter Worm

A quick look at the version info on the ALG.EXE file shows a company name called SornSoft. I don't know if it would be proper to include the link but I used a search engine to find an organization with that name. The site seems pretty hokey, and offers several "marketing" software tools for a fee, including some kind of binder and even a downloader. It also links to another firm that offers a kind of dropper that will hijack someone's browser.

New Twitter Worm - Additional info

I followed a link from the SornSoft website to another one which I think would be safe to give out here since it is obviously malicious. Check it out:

Sandbox Analyzed

Sorry this is a bit late...

Changes to filesystem:
* Creates file C:\ErrLog.txt (Contains Installer Log for Malware)
* Creates file C:\Program Files\Common Files\alg.exe
- MD5: 2dba3c3d70b8bcc0356e58c971243ac0
- Filesize: 33889 bytes

Network Findings:
* Port 1049 UDP was opened.
* Established connection to

Changes to registry:
* Deletes value "AppId" in key HKEY_LOCAL_MACHINE\software\classes\clsid\{ceff45ee-c862-41de-aee2-a022c81eda92}
* Deletes Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{DBC80044-A445-435B-BC74-9C25C1C588A9}
* Modifies value "Name=dw20.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication
* Modifies value "ID=4889DC4E" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication

Additional Information: