Fear of Piracy Opens Door to Virus-Infected Worm

Ever thought about going cheap on software rather than purchasing a legit copy? Let’s put it this way. Would you rather install a crack coming from the underbelly of the web than buy a copy of Microsoft Office? Many have made this mistake.

The latest trend in piracy guest-stars the classical worm with a twist: get a software crack, run it, then let the worm that comes with it wreak havoc on your PC. You know this scenario, but, there is even more to this story.

A piece of malicious code written in Visual Basic, identified by Bitdefender as Win32.Worm.Coidung.B, spreads via Yahoo Messenger pretending to be an Office Genuine Advantage checker, called “office_genuine.exe”. This file has been used by computer owners to check if their Microsoft Office applications were legit, but the tool got deprecated in December 2010, when Microsoft retired the OGA program.

However, the name of the file usually associated with a legit tool is enough to trick the user into downloading and executing the worm on their computers. Along with the worm another uninvited guest, a file infector known by the name of Win32.Virtob, also reaches the victim’s system. It is currently unknown if the Virtob code has been planted inside the worm with a specific purpose in mind or if it got there as a result of a natural infection, but one thing is sure: the worm travels with a dark passenger.

The worm operates fast, disables the Windows Firewall and opens a backdoor to allow a remote attacker to access and control the compromised computer. The end purposes may very well vary from data theft to DoS attacks, or any other illegal usages for a computer that has a remote access Trojan planted on it.

Coidung makes copies of itself hiding them in several system folders under various names. Afterwards, it makes modifications in Registry so all these copies are initialized at start up. In the meantime the worm sees that none of the copies are deleted, deactivated or removed from startup.

Aside from the damage inflicted by the worm, the user’s system must also face the attack coming from the polymorphic virus with backdoor behavior. Virtob attached itself to the worm to be “transported” to different locations, a tactic used by pieces of malware to enhance their own spreading functions.

The virus is known to avoid emulators and virtual machines. It infects ASP, HTM and PHP scripts (the most common file formats for web applications) while waiting for the attacker’s commands to download from further malware and execute it on the computer.

This approach is not new. Four or five years ago, right after Microsoft launched the controversial Windows Genuine Advantage Validation Notification program, another malware pretended to be a Windows genuine tool as well. We know by now that old tricks are habitually recycled by crooks – and with good results. In 2006 and 2007, the malware (Cuebot-K) pretended to be Microsoft Windows Genuine Advantage and spread via AOL instant messenger.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender VirusAnalyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.