Orkut is a Google-owned social networking service with most users located in Brazil and India. It recently ranked 21st in Compete.com’s top 25 social networking sites, with more than 5 million monthly visits in January of 2009.
Now, much like the other social networking sites in the said list, Orkut is now also being used by cyber criminals to carry a malware that can compromise a victim’s computer.
Spoofed emails which claim to be from Orkut inform the recipient that their account has been found fake and is doing illegal activities such as sending out spam to other Orkut members.
Figure 1. Sample spammed message posing to be from Orkut
Figure 2. A fake warning for Orkut users
The first email translates to:
Problems with your profile.
Your profile was reported to be containing illegal information, and will be blocked in the next 48 hours.
You are probably using non-authorized or copyrighted information.
To see all the information and instructions required to normalize your account, click here.
This will be the last notification sent from our system, and in case you do not perform any required action, your profile will be blocked definitely.
ATTENTION: your request will be analyzed by our team and will be subject for approval.
To get more details about your profile, download the software below:
Problems with your account
We are receiving daily inquiries showing that your profile is fake, and is sending spam to other Orkut members.
If you really do exist and would want to keep using Orkut, we require you to change your password and do a personal confirmation of your profile.
Enable your profile:
IMPORTANT: Your reactivation is due in the next 48 hours.
Recipients are given 48 hours to and activate of their profile by clicking the given link. Upon clicking the link they will be redirected to a website where they are prompted to download a file which is found to be a malware detected as TROJ_DLOADER.WKV.
Figure 3. Prompt to download the malicious file.
TROJ_DLOADER.WKV terminates antivirus applications found present on the affected system. This routine is possibly done to prevent antivirus software from detecting files that this Trojan downloads from malicious URLs, which are inaccessible as of this writing.
Either way, spammed messages such as the one shown above are already blocked, while malicious files are already detected, all through the Trend Micro Smart Protection Network.
Here are a couple of past reports involving Orkut: