What's going on with Warezov on ICQ?
A few weeks ago our network provider reported that they caught a few HTTP requests (a few GET for map.src and picture.pif) to a known warezov domain coming from one of our ip. Warezov and its variants are easily trackable since once activated they will try to update themself by fetching an update on several domains created for this purpose. So, a computer was suspected to be infected on our networks. I investigated and discovered that the actual IP involved was a linux box. No, not even a dual boot box.
After asking the lady who used to computer that day, i understood that she certainly didn't go fetch the warezov update on purpose and that she only used meebo.com (webmesenger service) and yahoo mail. She reported a few weird messages from people she didn't know on ICQ, though. A few days later, another user reported the same kind of messages on ICQ, but this time from an unknown warezov domain! No antivirus vendors are actually linking Warezov and ICQ. So what's going with Warezov on ICQ?
Renater our network provider reported these requests, saderuikuntunyesdea.com being a know warezov domain:
GET http://281.saderuikuntunyesdea.com/1/2772/ - DIRECT/188.8.131.52 text/html GET http://281.saderuikuntunyesdea.com/chr/IM/map.scr - DIRECT/184.108.40.206 text/plain GET http://2298.saderuikuntunyesdea.com/2/4460/picture.pif - DIRECT/220.127.116.11 text/html GET http://2298.saderuikuntunyesdea.com/chr/IM/picture.pif - DIRECT/18.104.22.168 text/plain
The lady who used the computer at this time couldn't actually remember what were the messages sent to her on ICQ, but she certainly didn't remember clicking on any of them.
I couldn't find any information linking warezov and ICQ. According to Sunbelt warezov is a mass mailing worm that carries an infected attachment and spreads by sending a copy of itself to every email address in the victim's computer.
Anyway, i downloaded the map.scr and picture.pif files and submitted them on virustotal.com:
AntiVir 22.214.171.124 12.21.2006 Worm/Stration.AH Authentium 4.93.8 12.20.2006 W32/Warezov.gen4 Avast 4.7.892.0 12.20.2006 no virus found AVG 386 12.20.2006 I-Worm/Stration.BKR BitDefender 7.2 12.21.2006 Trojan.Dropper.Stration.VD CAT-QuickHeal 8.00 12.20.2006 I-Worm.Warezov.et ClamAV devel-20060426 12.21.2006 Worm.Stration.XC-8 DrWeb 4.33 12.21.2006 Win32.HLLM.Limar.based eSafe 126.96.36.199 12.19.2006 Win32.Warezov.et eTrust-InoculateIT 23.73.93 12.21.2006 Win32/Stration.Variant!Worm eTrust-Vet 30.3.3267 12.21.2006 no virus found Ewido 4.0 12.21.2006 Worm.Warezov.et Fortinet 188.8.131.52 12.21.2006 W32/Strati.ET@mm F-Prot 3.16f 12.20.2006 W32/Warezov.gen4 F-Prot4 184.108.40.206 12.20.2006 W32/Warezov.gen4 Ikarus T220.127.116.11 12.21.2006 Email-Worm.Win32.Warezov.dw Kaspersky 18.104.22.168 12.21.2006 Email-Worm.Win32.Warezov.et McAfee 4923 12.20.2006 W32/Stration@MM Microsoft 1.1904 12.21.2006 no virus found NOD32v2 1932 12.20.2006 Win32/Stration.TU Norman 5.80.02 12.20.2006 W32/Stration.CQW Panda 22.214.171.124 12.21.2006 W32/Spamta.PL.worm Prevx1 V2 12.21.2006 no virus found Sophos 4.12.0 12.21.2006 W32/Strati-Gen Sunbelt 2.2.907.0 12.18.2006 W32.Stration.DB@mm TheHacker 126.96.36.199 12.20.2006 W32/Warezov.et UNA 1.83 12.20.2006 I-Worm.Warezov.et VBA32 3.11.1 12.20.2006 MalwareScope.Worm.Warezov.1 VirusBuster 4.3.19:9 12.20.2006 Trojan.Opnis.Gen.29
It's abviously a piece of warezov. I reported it to f-secure with my little story and then contacted me back saying the files i submitted didn't have any IM related routines. They said the virus was probably not sent on ICQ but rather in a mail. But a few days later another user reported weird messages on ICQ and this time, she sent them to me:
check this http://7692.seruijingandeshijinpos.com/1/3030/ check this http://9842.seruijingandeshijinpos.com/1/4619/
Interesting.. this time we're sure it's coming from ICQ and that it's a warezov even though seruijingandeshijinpos.com isnt a know warezov domain (yet). I reported this to my contact at f-secure and am still waiting for an answer...