Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


Posts Tagged ‘Dorkbot’
October 11th, 2012

Avast Virus Lab analysis of Dorkbot with Skype hijacker

Earlier this week, a new variant of the Dorkbot/Ruskill malware attacked users of the Skype video calling service. This malware can affect a huge amount of sites and online services and can attack almost all known web browsers such as Internet Explorer, Firefox, Chrome, Opera, Flock and other programs such as MSN, wlcomm.exe etc.

The avast! VirusLab analyzed this malware, which you can read about in articles published on the web, but none analyzed the new module that can hijack Skype messenger which is now the bigger threat to users. This module has a packed form around 70KB. After the removal of the custom packer / loader the pure size is 16 384b. The module is very small but includes 31 known language versions of phishing messages that appear in the Skype messenger window. This localization is based on OS language via GetLocaleInfo API. After bypass return value you can see different language mutations.

Phishing messages in various languages

Sample of phishing messages in various languages:

  • lol is this your new profile pic?
  • hey é essa sua foto de perfil? rsrsrsrsrsrsrs
  • hej je to vasa nova slika profila?
  • hey c’est votre nouvelle photo de profil?
  • ?hey esta es tu nueva foto de perfil?
  • hey ini foto profil?
  • hei er dette din nye profil bilde?
  • hej to jest twój nowy obraz profil?
  • hey ito sa iyong larawan sa profile?
  • ?aquesta és la teva nova foto de perfil?
  • hej detta är din nya profilbild?
  • hej jeli ovo vasa nova profil skila?
  • hey la anh tieucua ban?
  • sa k’vo profili lusankary
  • hey e la tua immagine del profilo nuovo? Read more…
Categories: analyses, Virus Lab Tags: , , ,