Twitter spam and some details

  • June 11, 2010
  • 2 min read

We wanted to add on some details on what we found after our research in regards to the Twitter spam emails.

The original Trojan dropper sample named, Twitter_security_model_setup.exe is approximately 416768 bytes, having an icon similar to Windows Update notification

On further analysis we found out the sample to be a variant of TDSS rootkit, in this specific case TDSS-pragma.

On execution, the rootkit creates some hidden files and injects itself to explorer.exe and Iexplore.exe

Further, it tries to download more malicious binaries and open multiple remote website connections,

As we mentioned in our previous post related to this, users will then experience fake popup warnings about system being infected or antivirus is run in demo mode and needs to be activated etc.

A new rogue variant, Protection Center, is installed simultaneously alongwith fake security centers and constant fake warnings.

The story doesnt end here. The malware goes on to disable the execution of Task Manager and if users try to open any application, fake warning messages pops up.

The malware also starts a System Shutdown notification at periodic times which results in loss of any unsaved data and unnecessary hassles.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Rogue security softwares have been evolving.They are not sitting quietly with their fake warnings and nagging popups anymore, but with these “shutdown warnings” , they are becoming more troublesome and demands more attention. We at Emsisoft are as always vigilant and make sure we are a step or two ahead of them and will always be.

Emsi

Emsi

Emsisoft founder and managing director. In 1998 when I was 16, a so called 'friend' sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story

What to read next