The IM worms armada

24 Oct 2006

minute read

Authors

Costin Raiu

We’ve noticed an increase in the prevalence of Y!/MSN-aware worms. These rely on various social engineering tricks to lure the user into a malicious website. For instance, IM-Worm.Win32.Qucan.c sends messages like this:

The link shows a URL nicely disguised as a JPEG file. The actual page, which contains an encrypted javascript to avoid direct inspection, uses a combination of Exploit.JS.ADODB.Stream.e and a more recent MDAC (MS06-014) exploit to install the worm in the system. Unfortunately, even though a patch for the MDAC exploit had been released in May 2006, we have quite a few Qucan.c/Sohanad.e cases reported.

Of course, if you have Firefox or Opera set as the default browser, the exploit doesn’t work.

BTW, if you’re still – for some obscure reason – using IE, it may be worth checking v7, which was just released. It works only on XP+SP2, though.

Authors

Costin Raiu

The IM worms armada

Latest Posts

Latest Webinars

Reports

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques.

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Kaspersky has identified a new EastWind campaign targeting Russian organizations and using CloudSorcerer as well as APT31 and APT27 tools.

The IM worms armada

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

TOP 10 unattributed APT mysteries

Applied YARA training Q&A

PuzzleMaker attacks with Chrome zero-day exploit chain

Looking at Big Threats Using Code Similarity. Part 1

YARA webinar follow up

Analysis of Elpaco: a Mimic variant

Ymir: new stealthy ransomware in the wild

QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns

New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency

Lumma/Amadey: fake CAPTCHAs want to know if you’re human

Latest Posts

APT trends report Q3 2024

Consumer and privacy predictions for 2025

Analysis of Elpaco: a Mimic variant

Advanced threat predictions for 2025

Latest Webinars

Inside the Dark Web: exploring the human side of cybercriminals

The Cybersecurity Buyer’s Dilemma: Hype vs (True) Expertise

Cybersecurity’s human factor – more than an unpatched vulnerability

Building and prioritizing detection engineering backlogs with MITRE ATT&CK

Reports

APT trends report Q3 2024

Beyond the Surface: the evolution and expansion of the SideWinder APT group

BlindEagle flying high in Latin America

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Subscribe to our weekly e-mails