Brazil is the home of the infamous Infostealer.Bancos family of malware. Recently, however, we have seen a more diverse number of sites - beyond just banking sites - coming into the crosshairs of the Brazilian malware gangs. Is the recent W32.Imcontactspam worm another of their creations?

The worm is Brazilian and spammed the infected users’ MSN contacts with email advising them that they had received an electronic greeting card. We see these types of worms quite often; however what caught our attention were the similarities between the techniques this worm uses and the techniques used by the Infostealer.Bancos family of trojans.

When executed, the worm does the following:

1. Minimizes the real MSN Messenger login window;


2. Displays a fake Portuguese language MSN login screen;


3. Records the username and password that is typed;


4. Displays the real MSN Messenger login window (user must re-type password);


5. Records the email address of all contacts, and;


6. Sends a report including the username, password and a list of contacts of the infected user to the worms’ authors.

Below is an example of the type of email that the worm authors will receive. (Usario = Username and Senha = Password)

At the same time the worm also sends an email to all of the infected users contacts with the following details (abbreviated translation: “A friend has sent you a card, to see it click on the link below”):

When the contact clicks on the link to view the greeting card they are presented with a popup stating that “The latest version of Macromedia Flash Player was not found, please, download and install it “

The contact is then presented with a fake Flash “Install now” page:

And finally the contact is presented with the payload:

This fake Flash update is in fact a copy of the worm. If the contact agrees to install the fake update, then the infection starts all over again on that contact’s computer.

The worm also sends the following fake email which appears to be a phishing attack against cartoes24horas.com.br:

(Click image for larger view)

The links in the fake email actually point to cartorioS24horas.com, NOT the legitimate site cartorio24horas.com.br. It is difficult to say exactly what the attackers were attempting to gain from this email as the phishing site cartorios24horas.com is currently unavailable. [carties24horas.com.br are aware of these fake emails and have a warning to their users on their home page. ]

When analyzing this worm, it was obvious that this worm has many of the same characteristics of the Infostealer.Bancos samples that we see so often. The most obvious shared trait is that they both target a Brazilian audience and that they are both written in the Delphi language.

Another point of interest is that, rather than using the real MSN window and recording the keystrokes (which most other worms would do), the worm’s author decided to display a fake MSN messenger window instead. This fake window is embedded in the executable as a jpg. This makes the executable quite large and also limits the functionality of the fake window. For example, the worm is unable handle if the infected user clicks on the file menu, so it displays a message box stating that the operation was not possible:

Almost all of the Infostelaer.Bancos family of Trojans have embedded images in them (meaning that the executable is also quite large), and they display these images instead of the real bank Web site in a similar way to this worm.

Another shared characteristic is that, more often than not, the Infostealer.Bancos Trojans also collect all the infected users contacts and send them to the attacker at an anonymous email address. This worm sends the addresses of all the infected users contacts (along with the username and password of the infected user) to two Gmail accounts. [The account details for both of these addresses have been passed to the abuse team at Gmail.]

Also, it is quite obvious that the creator of this worm is not a very skilled programmer. This is apparent from the use of a fake MSN window rather than the real one and because, during testing of the worm, the emails sent to all infected users’ contacts actually contained the infected users’ password in the FROM: field, instead of the username.

Lastly, the Infostealer.Bancos family are quickly recognizable because they usually use the .scr extension (for screensaver) instead of the normal .exe extension.

Reviewing the details of the fake Flash update we saw above we see that the file extension used is .scr and the file type is listed as Screen Saver.

Of course some of these attributes can also be found in other amateur type viruses but the amount of similarities certainly causes comparisons to be drawn between the two threats.





Similarities between the two threats

We cannot be certain that this worm was created by the same people that created the Infostealer.Bancos Trojans, but it certainly would not be surprising to discover that both were written by the very same gang, and that the gang are expanding their operation to target more than just banking sites.