In-Depth

Alerts

New Vulnerabilities Steal Financial Data Via ICQ, Target P2P File Traders, and Delete Office Files

• By Mathew Schwartz
• 03/03/2004

Bizex Aims for ICQ Users’ Financial Information

Users of ICQ, an instant messaging, have been targeted by Bizex, a worm that spreads via ICQ. Antivirus software company Kaspersky Labs estimates over 50,000 PCs have been infected. Products such as Miranda and Trilliam, which interoperate with a number of instant messaging programs, are immune, it notes.

The worm sends automated messages to ICQ inviting them to a Web site. Site visitors see a cartoon, while unbeknownst to them the site takes advantage of an Internet Explorer vulnerability (since patched by Microsoft) to push a file at the user’s computer on the sly. The file automatically downloads Bizex and launches it.

Infected computers have a Windows system folder named “sysmon.” The worm, named “sysmon.exe,” is inside and gets loaded into memory whenever the PC boots.

After discovering the PC’s ICQ contact list, the worm disconnects the ICQ user, then, pretending to be the user, it sends a Web site link to the contacts.

The worm also targets a user’s financial information; it’s able to harvest information on “payment systems,” notes Kaspersky, which then get quietly uploaded to an anonymous, remote server.

Vulnerable payment systems include: Wells Fargo, American Express UK, Barclaycard, Credit Lyonnais, Bred.fr, Lloyds, and E-gold. Likewise the worm will intercept HTTPS communications (typically used for sensitive Web sessions, including financial matters) log-in information and also forward that to the server.

“We see this as a bare-faced attempt to make money,” says Eugene Kaspersky, head of anti-virus research at Kaspersky Labs. In particular, “The new method of penetration, the fact that ICQ has not been used for such an attack before, and the wide range of spy functions—this combination is sure to reap huge profits for the author of Bizex, in spite of the fact that the site was closed down four hours after the start of the outbreak."

Kaspersky advises users to “be very cautious about visiting suspicious sites,” and to “install updates for Internet Explorer and Windows immediately."

New Netsky Arrives

According to antivirus software maker F-Secure, “This variant has been improved [compared] to previous variants of the worm. Netsky.C spreads itself in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives.” Peer-to-peer (P2P) file sharing programs typically rely upon shared folders, meaning if the worm created a fake file name of interest to a file trader, the worm could spread through the P2P networks. Not surprisingly, the worm picks from a what’s-hot list of potential file names, including “Win Longhorn Beta.exe,” “Doom 3 Beta.exe,” and “How to hack.doc.exe.”

The subject line, message body, and attachment name options have similarly been dramatically expanded.

The new worm comes with a number of other changes. For example, when run for the first time, the worm no longer displays an error message box. Also, the worm copies itself to the Windows folder as “winlogon.exe” and makes a registry entry to that effect.

The new worm also deletes MyDoom registry keys.

Interestingly, when the worm harvests the infected PC for e-mail addresses, it avoids sending e-mail to any company name containing strings such as icrosoft, antivi, ymantec, f-secur, cafee, aspersky, f-pro, orton, and fbi.

As with the previous version, all attachments can include multiple file extensions, however the first extension will always be: .txt, .rtf, .doc, or .htm. The second extension will be .exe, .scr, .com, or .pif.

Latest MyDoom Deletes Files

The latest version of the MyDoom worm, MyDoom.F, not only infects computers—if a user executes the worm, which arrives attached to e-mail messages or via P2P networks, gathers e-mail addresses, and preps computers for denial-of-service attacks. It can delete files as well.

If executed, the worm searches the infected PC’s files for e-mail addresses. It matches file extensions against a given list, skipping any file smaller than 40 bytes.

After getting e-mail addresses from a file, the worm again matches file extensions, then sometimes deletes the files.

According to F-Secure, the worm deletes the following file extensions with the following probabilities: .doc (40 percent), .xls (60 percent), .sav (95 percent), .jpg (8 percent), .avi (10 percent), .bmp (15 percent).

F-Secure notes that “once the scan of the machine and its drives is finished, it will sleep for 32 seconds and start again.”