Analysis by: Michael Cabel

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

<P>This worm is the Trend Micro detection name for the Mehika <i>Twitter</i> botnet binary. Cybercriminals used a <i>Twitter</i> account in order to send commands to this botnet's new zombies. </p>

To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

This worm may arrive bundled with malware packages as a malware component. It may be downloaded by other malware/grayware/spyware from remote sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection. It modifies the user's Internet Explorer search page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.

  TECHNICAL DETAILS

File Size: 74,435 bytes
File Type: PE
Memory Resident: No
Initial Samples Received Date: 16 Jul 2010
Payload: Connects to URLs/Ips, Compromises system security, Steals information, Modifies HOSTS file

Arrival Details

This worm may arrive bundled with malware packages as a malware component.

It may be downloaded by other malware/grayware/spyware from remote sites.

Backdoor Routine

This worm executes the following commands from a remote malicious user:

  • Adds/Modifies entries to the HOSTS file
  • Restarts a host machine
  • Replaces HTTPs
  • Sends email messages
  • Downloads and executes files
  • Monitors visited sites
  • Logs keystrokes
  • Sends messages to MSN containing a link pointing to its copy
  • Updates its Twitter RSS feed on the link, http://{BLOCKED}r.com/statuses/user_timeline/118177052.rss with these actions

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • http://{BLOCKED}.{BLOCKED}.133.57/~duskrow/Twitter/

Web Browser Home Page and Search Page Modification

This worm modifies the user's Internet Explorer home page to the following websites:

  • http://www.google.com

It modifies the user's Internet Explorer search engine into the following websites:

  • http://www.google.com

NOTES:

It requires other components to effectively perform its malicious routines.

  SOLUTION

Minimum Scan Engine: 8.900
VSAPI OPR PATTERN File: 7.315.00
VSAPI OPR PATTERN Date: 16 Jul 2010

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product to delete files detected as WORM_TWITBOT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.