Remember our previous post on IM worms that chat with the target? Well, here’s a similar instance. Check it out.
Current detection:
FileName : SexyGirl.zip/SexyGirl.scr
TrendMicro : PAK_Generic.001
Based on initial-string-based-analysis, we did not find the strings of the chat in the malware. Taking out the possibility that it is encrypted (for simplicity’s sake), it could mean that the “chatters” (latia, Whyn0tt_87, D115ny_cute) are actual bot-infected-systems which were instructed to propagate the malicious link via IRC. Much like the AOL propagation used by bots. The Botmaster can control the links. Or, the botmasters created legal irc ‘bots’ that park on the channel and sends the messages to the users of the channels. Yes, there are legal irc ‘bots’. Google on irc bots.
Update(JJ, 23 February 2006 00:14:56)
So I decided to delve deeper into this bot, and the botmaster does control the irc messages that it sends out. This is its infection vector, as the bot does not have any commands to exploit other systems automatically. Also, this bot does not join a channel, AND, the server that it joins is a legit channel. The bot master has a script to tell the infected systems to “propagate” the “Sexy Girl” and “Full Sex Movie” links. And still, there are many users who are infected (based on the logs that I took).