Italy: Prime Minister Subject of Spam?
Published:
June 29 2009, 05:42 AM
by
Rossano Ferraris
Spammers have used the recent political controversy that surrounds the Italian Prime Minister
Silvio Berlusconi to lure and trap Italian speaking people via an email spam (see Figure 1 and
Figure 2). Italian people who love gossip about public people may be particularly susceptible to
this type of email.
Figure 1 - Spammed Email
The English translation is:
“Have you seen what our Prime Minister Silvio Berlusconi is doing? Have you followed his story
with the escort?
Thanks to a journalist of LEGGO, we have got the opportunity to see our Premier together with
his escort girl recently appeared on newspapers. If you want to see them, click on the link below:
hxxp://you[BLOCKED].com/watchv=W3k9pMtrccQ.html
TO SEE THE VIDEO YOU NEED TO INSTALL THE FOLLOWING CODEC…”
If we examine the email closely, we see that the email pretends to come from Youtube.
However, the email really comes from a certain Youtorube.com (see Figure 1 and Figure 2) which
is hosted on a web server located in Florida with IP address 64.71.35.20.
Figure 2 - Email Header
A link in the email will redirect us to a malicious website “youtorube.com” that asks the user to
install a new codec to view the video (Figure 3):
Figure 3 - Host website
The new codec is called “wmpcodec.exe,” and CA AV detects this file as the worm
“Win32/IRCBot.OQ”, and blocks it from running.
Additional Information on Win32/IRCBot.OQ
We managed to follow the communication between the malware file and its IRC server, from
there we found that the bot malware is monitoring keystrokes, passwords, websites visited and
windows opened in the infected system.
Win32/IRCBot.OQ sends a log of computing activities of an infected system in the IRC server. It
makes the activity log visible to the malware author and also to other infected systems.
The IRC channel becomes a log file of activities of all infected machines.
Figure 4 shows how each activity was logged in the IRC channel:
Figure 4 - Communication capture in the IRC channel
It logs usernames and passwords when an infected system accesses a website that contains
'login.php' in the URL.
In addition, it attempts to download other malware to the infected system, which CA detects as
Win32/PolyCrypt!packed.
Thanks to Zarestel Ferrer for his contribution to the description of Win32/IRCBot.OQ malware
Tags: Anti-Spyware, Anti-Virus, spyware, Passwords, CA, Rossano Ferraris, social networking, spam, rossano, malware, antimalware, CA Anti-Spyware Scorecard, worm, internet threats, CA Anti-Virus, IRCBot, Silvio Berlusconi