AutoIT IM worms spread in Vietnam

We’ve been getting reports from several users that they’ve been receiving suspicious looking messages on their Instant Messenger such as the ones shown below.


Just check out my new personal website : http://{blocked}to4.net c0ol !!!

Download free MP3s : http://{blocked}o4.net?id=music


Upon further investigation we found that the main site only triggers a series of actions that redirects the user to several other sites that lead to the downloading of an executable file. (Sorry no pretty snapshots to go with this article.)


The main site “http://www.{blocked}.net” redirects to:

http://www.{blocked}.com/hosted/purifier_f.php?userid=887&exp=24

which in turn goes to the site

http://www40.{blocked}.com/mercury1819/credit.html


That page contains a script that downloads “http://64.{blocked}.110.32/enet.exe” and saves it to the local computer using the filename “svhost.exe”.

The main site also redirects to this page http://{blocked}.googlepages.com/credit.html which in turn saves the file, “enet.exe” using the following filename: C:WINDOWSsvhost32.exe.

Both sites utilized the MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014).


The file svhost.exe has already been submitted to the service team for processing. Kindly stay tuned for updates.


The aforementioned file is subsequently an AutoIt executable file.