Spammers often ride on blockbuster movies to proliferate their malicious deeds. Just recently, Trend Micro researchers received spammed messages that piggybacked on the sequel of the Twilight movie, New Moon.
No suprises there as the said movie earned US$274.2 million on its opening weekend and continues to climb the movie charts. In fact, just days before New Moon’s premiere,Trend Micro has already reported about New Moon-related poisoned search results that led to rogue antivirus software or other type of badware.

The spammed email message has the subject “Filme 2009, Film Noi, Filme Gratis” and has a URL that points to a commercial spam site. The email body is written in Romanian, which suggests that this is a targeted attack. However, our researchers rather believe that this spam is more of a trial for advertising a new file-sharing portal.

The links in the spammed emails open a Romanian file-sharing portal (a DC++ hub), which indeed offers further links for downloading movie files. DC++  is an open source tool, which allows users to share files and to chat over the Internet with other users. The DC++ tool and related hubs are highly popular in Romania. FAQ sites describe DC++ hubs as:

A hub is a kind of router who allows DC++ clients to interconnect with one another. It is not called a server because it does not host any files, it just makes the necessary connections (such as chatting, search request, and search results).
All file transfers are made between clients not within the hub.

File-sharing portals like many other “free” offers have seldom charitable intentions. Most of these portals involve users in illegal file sharing, gathering personal data (through member registration), clickjacking, and other questionable actions.

Users are advised to be wary of using free file-sharing portals as well as opening URLs in emails from unknown sources. Trend Micro protects users from this attack via the Smart Protection Network™, which blocks the spammed email message and prevents user access to the spammed site.

Additional text by Alice Decker, Senior Threat Researcher

SOHANAD may be an old malware family but it still remains a prevalent threat in the Asia/Pacific region. WORM_SOHANAD is created using an AutoIt script, a freeware scripting language for MS Windows. The said script will then be converted or compiled into a Win32 executable (.PE file) using the UT2EXE tool in order to become the malware’s final build. Aside from SOHANAD, other malware such as worms SILLY, YAHLOVER, AUTORUN, and IMAUT are also created via AutoIt script.

Nhatquanglan: A Common SOHANAD Threat in Southeast Asia and India

Most SOHANAD variants originated from several Southeast Asian countries like Vietnam (Nhatquanglan and ViRuSLoVeHD), India (Khatarnak), the Philippines (Funny_UST_Scandal), and Indonesia (VirusBenci). Nhatquanglan remains as the most common SOHANAD variant in Southeast Asia and India. It may arrive in the system via the following vectors:

• Web (as downloaded malware)
• Yahoo! Messenger v8.0 and below
• Network shared folders/drives
• Removable media (i.e. USB, flash memory cards, etc.)

Similar to other SOHANAD variants, Nhatquanglan also spammed messages with malicious links to the affected user’s instant messenger (IM) contacts. Some of these messages are even written in Vietnamese.

Bo oi! Co biet gi chua ha?Cai nay hay lam a nha http://www.{BLOCKED}vantinhyeu.info Loi to tinh dau tien cua tui : ) http://www.{BLOCKED}vantinhyeu.info cau noi hay nhat danh cho 2 nguoi iu nhau http://www.{BLOCKED}vantinhyeu.info Biet yeu la sai lam, sao ta cu yeu dai kho http://www.{BLOCKED}vantinhyeu.info Lan dau tien len…giuong =)) =)) http://www.{BLOCKED}vantinhyeu.info

The Dangers and Risks SOHANAD Poses

When executed in the system, SOHANAD disables the Registry Editor and the Windows Task Manager. It also modifies the affected user’s homepage and terminates certain processes related to antivirus programs. In addition, it sends enticing messages with malicious URLs to the user’s contacts. When the affected user’s contacts click the link, they, too, will be infected with SOHANAD.

Why Is It a Persistent Threat?

The cybercriminals behind SOHANAD leverage AutoIt for malware creation. This could be the reason why SOHANAD continues to be very rampant. It (AutoIT) can be easily modified and updated. Hence, SOHANAD is able to deploy multiple variants at a time. In addition, AutoIt is easy to use. It is similar to the creation and modification of a batch file to automate a malware’s malicious activities. As of this writing, some samples of SOHANAD scripts have already fallen into the hands of script kiddies.

One of the notable characteristics of SOHANAD is its ability to actively update itself. It continues to update its binaries while lurking in the process space of the affected system. SOHANAD also keeps downloading a file called SETTING.INI from several malicious websites. SETTING.INI contains all the updated information and may vary from time to time. Based on the collected samples, SOHANAD is capable of updating itself every two hours. The update frequency may also vary, depending on the latest downloaded SETTING.INI configuration. What is most alarming here is that detection and cleanup solutions may prove ineffective if a malware like this keeps on updating itself and its behavior.

User Protection

With that in mind, file detection alone is not sufficient to stop a continuously changing threat like SOHANAD. Users need a powerful security product like the Smart Protection Network™, which blocks all malicious URLs to prevent users from getting infected.