Fake Twitter spam – Merond Worm (Oct 2, 2009)

SonicWALL UTM Research team observed a new Merond worm variant being spammed in the wild via fake Twitter invitation e-mail messages. The e-mail message looks like below:

Sender: invitations@twitter.com

Subject: Your friend invited you to twitter!

Attachment: Invitation Card.zip [ Contains document.doc (spaces) .exe ]

The malicious executable inside the attachment is the new mass-mailing worm variant and the file looks like:

A sample e-mail message is shown below:

The worm when executed performs following activities on victim machine:

• Injects a malicious executable into multiple system files on the victim machine some of which are listed below:
  • (System Folder)attrib.exe
  • (System Folder)bootcfg.exe
  • (System Folder)calc.exe
  • (System Folder)chkdsk.exe
• Determines the IP address of the victim machine by sending a GET request to whatismyip.com
• Emails copy of itself to the e-mail addresses harvested from the victim machine
• Collects and sends back sensitive information from the victim machine to the predetermined IP address on port 65520. A sample encrypted packet is shown below:

  

• Downloads rogueware applications on victim machine.

This malware is also known as TR/Buzus.caro , Worm:Win32/Prolaco.gen!C , and Worm:W32/Prolaco.D .

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Merond.V (Worm) signature.