Tuesday, February 8, 2011

"m28sx" worm: back in business ?


You might remember my previous post about a new Twitter worm called "m28sx" that spreads a fake antivirus (aka rogueware) called Security Shield:

Today I got an email with the subject "HELLoo" and only a link in it. The link ended with m28sx.html.


Different redirects starting at the compromised website


There are 3 redirects before you eventually land on the fake scanner page:

Messagebox alerting you of infections on your system



Fake scan message showing numerous infections



The following file is dropped:

pack.exe
Result: 7/43 (16.3%)
MD5: b7fcca77d20fb5ac43792ad56f6fc75e

The payload is a rogueware called 'Security Shield'.

When executing the dropped file (pack.exe) :

A warning that Security Shield was installed successfully



Security Shield rogueware finding (non-existant) infections



Conclusion

Always be careful when clicking on a URL that you do not recognize or is shortened so you cannot see the real URL. In this case, a website was compromised and the "m28sx.html" was placed. Actually, be careful with ANY URL ;) .

If you do happen to land on one of these rogueware pages presenting you a fake scan of your disks, open Task Manager and end your browser's process.

As an extra note: this one might re-surface again on Twitter, so be on the lookout these days for links that end with "m28sx".


No comments:

Post a Comment