Twitter spam and some details

We wanted to add on some details on what we found after our research in regards to the Twitter spam emails.

The original Trojan dropper sample named, Twitter_security_model_setup.exe is approximately 416768 bytes, having an icon similar to Windows Update notification

On further analysis we found out the sample to be a variant of TDSS rootkit, in this specific case TDSS-pragma.

On execution, the rootkit creates some hidden files and injects itself to explorer.exe and Iexplore.exe

Further, it tries to download more malicious binaries and open multiple remote website connections,

  • http://xxxxxrwid.org/any/396-direct.ex
  • http://xxxxxifulsecurityscan.com/readdatagateway.php?type=stats&affid=396&subid=new02&version=4.0&adwareok
  • http://xxxxxhlouinc.org/css/pragma/crcmds/main
  • http://xxxxxhlouinc.org/css/pragma/srcr.dat
  • http://xxxxxhlouinc.org/css/pragma/crcmds/install
  • http://xxxxxsearchlouinc.org/css/pragma/crfiles/serf
  • http://xxxxxsearchlouinc.org/css/pragma/crfiles/bbr
  • http://xxxxxawbok.com/cnt/cnt_db
  • http://xxxxxawbok.com/customers/readdatagateway.php?type=stats&affid=396&subid=new02&installrun&version=4.0
  • http://xxxxxawbok.com/cnt/cnt_db
  • http://xxxxxfinderaco.org/css/pragma/knock.php
  • http://xxxxxsearchlouinc.org/css/pragma/knock.php

As we mentioned in our previous post related to this, users will then experience fake popup warnings about system being infected or antivirus is run in demo mode and needs to be activated etc.

A new rogue variant, Protection Center, is installed simultaneously alongwith fake security centers and constant fake warnings.

The story doesnt end here. The malware goes on to disable the execution of Task Manager and if users try to open any application, fake warning messages pops up.

The malware also starts a System Shutdown notification at periodic times which results in loss of any unsaved data and unnecessary hassles.

Rogue security softwares have been evolving.They are not sitting quietly with their fake warnings and nagging popups anymore, but with these “shutdown warnings” , they are becoming more troublesome and demands more attention. We at Emsisoft are as always vigilant and make sure we are a step or two ahead of them and will always be.