We recently received a tip from one of our own engineers involving a suspicious looking message that he received from a friend of his (who we’d prefer to keep anonymous) via his Yahoo Messenger.

The message was written in a foreign language, right now I’m really not sure what exactly but it looks vietnamese (I could be wrong though…).

The message reads as follows:

Nhung khi buon vui lang le, ngo nhu do la mot tieng vong ve tu noi nao do xa lam toi muon nghe bai hat do nhu mot chut la lung,nho nhung ban a. Ban cung nghe voi toi nhe!!!!!!!! http://{blocked}.us.tf

Upon initial inspection of the site http://{blocked}.us.tf, it appears to access several other sites, one of which downloads the file http://{blocked}.com/sinhviennl/tm.exe. Fortunately, the site appears to be offline now.

We’ve managed to grab a sample of the worm, as well as taken a couple of snapshots before this happened. Take a look:

This is the page that actually downloads the file tm.exe



Here you can see that the file has already been downloaded and executed

We’ve already submitted the file tm.exe to the service team and it will be detected as WORM_QUATIM.A. We’ll try to updated this article as soon as we stumble upon something new.

However for the time being let me remind users not to click on links they receive via yahoo messenger, or any instant messaging service for that matter, unless they’re 100% sure that it is safe (Which 95% of the time they’re not.) A lot of worms are spreading because users tend to be complacent especially since usually the messages come from an actual friend or a contact. Always try to verify if the message was indeed sent by your friend. If you receive no reply then it would safe to assume that the message was sent by a malware.

Thought for the Day:

An ounce of prevention is worth a pound of cure…

Update (Sheryll Tiauzon, Thu, 05 Oct 2006 03:23:48 AM)

The detection for WORM_QUATIM.A is now available for downloading using CPR 3.816.03

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

We’ve been getting reports from several users that they’ve been receiving suspicious looking messages on their Instant Messenger such as the ones shown below.

Just check out my new personal website : http://{blocked}to4.net c0ol !!!

Download free MP3s : http://{blocked}o4.net?id=music

Upon further investigation we found that the main site only triggers a series of actions that redirects the user to several other sites that lead to the downloading of an executable file. (Sorry no pretty snapshots to go with this article.)

The main site “http://www.{blocked}.net” redirects to:

http://www.{blocked}.com/hosted/purifier_f.php?userid=887&exp=24

which in turn goes to the site

http://www40.{blocked}.com/mercury1819/credit.html

That page contains a script that downloads “http://64.{blocked}.110.32/enet.exe” and saves it to the local computer using the filename “svhost.exe”.

The main site also redirects to this page http://{blocked}.googlepages.com/credit.html which in turn saves the file, “enet.exe” using the following filename: C:WINDOWSsvhost32.exe.

Both sites utilized the MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014).

The file svhost.exe has already been submitted to the service team for processing. Kindly stay tuned for updates.

The aforementioned file is subsequently an AutoIt executable file.