Russian social networking website hit by worm

Facebook, MySpace, Orkut and many other social networking sites epitomize Web 2.0 today. Naturally, malware writers are paying close attention and are attacking these networks – often in search of personal data.

Along with these global networks, there are local social networking sites in every country. In Russia, the most popular social networking sites are VKontakte.ru, Ondnoklassniki.ru {translation: in contact and classmates} and LiveJournal.

Over this past weekend VKontakte was targeted by a new network worm – Rovud. The first variant was detected early on May 16. The worm is simple in execution, but original nevertheless.

The body of the worm was posted on a website, which we think is probably hacked, with the name deti.jpg (translation: children.jpg): http://Roland.misecure.com/deti.jpg

In reality, anyone who clicked on the link launched an executable instead of downloading an image.

Once Rovud is launched on the victim machine it searches for the victim’s VKontakte cookies. The worm uses the cookies to connect to the VKontakte website and send the malicious link to all of the victim’s contacts. If any recipients click on the link the cycle is repeated with the recipient’s contacts now receiving the malicious link.As the worm executes it launches a picture:

(translation: Frozen again! – Kids, help your dad press Ctr+Alt+Del)

Worst of all, the worm has a destructive payload – on the 25th (of every month) it will launch the following window:

(translation:
Window title: Pavel Durov
Window text: While using in VKontakte.ru you have never elevated you rating, which means that we don’t earn a profit on you. In return we will destroy you computer!
If you turn to the police, you will regret it!
Respectfully,
Pavel Durov)

To add insult to injury, the threat purportedly comes from Pavel Durov – the founder of VKontakte.ru.

After this window is launched, the worm begins to delete all files on the victim machine.

Even though this first variant of Rouvd was detected quickly by a number of AV vendors and the support services of VKontakte were informed – it was impossible to prevent an outbreak. It took over a day to stop the worm.

In the meantime, the unknown authors of the worm changed the link to the infected website that was being sent to users. This lead to a new outbreak – evidently the admins at VKontakte has simply blocked the original URL leading to the deti.jpg file. The malware writers easily overcame this obstacle and Rovud.c spread the following URL:

http://vkontakte.ru/away.php?to=%68%74%74%70%3a%2f%2f%72%6f%6c%61%6e%64%2e%6d%69%
09%73%65%09%63%75%72%65%2e%63%6f%6d%2f%64%65%74%69%2e%6a%70%67

Clicking on this URL lead the victim to a new file on the same malicious website – http://Roland.misecure.com/deti.scr.

Rovud.c was detected on May 17 and judging by the number of queries many more people were infected during this outbreak versus the first Rovud outbreak on May 16.

Most interesting of all – the worm was marketed in advance. On May 15 the Russian Internet was flooded with a massive phishing attack aimed at improving the rating of a specified VKontakte.ru user:

Translation:

So what really happened if you responded? Naturally, the text message was not free ($ 0.30) and the only person whose rating increased was the owner of id10682124.

The administrators of VKontakte.ru responded by removing this user’s personal page. And the next day we saw Rovud.a worm, which continued the topic of user ratings and threatened users.

So far, it is unclear whether this is a simply an ‘injured’ hacker taking revenge, or a well-thought out attack against VKontakte.ru – an attempt to smear its reputation and scare away users.

We urge all users of VKontakte.ru to take care. We detect Rovud and provide a free removal tool as well. NB – you have to be in your admin session to run the utility.