Date: Mon, 20 May 2013 23:59:05 +0200
- Malware alert
IRCBot.CNE, BckPatcher.C and Boface.BJ
IRCBot.CNE sends messages to the infected user’s MSN Messenger contacts.
Message subjects include:
* Me miro boracho en video que me tomaron en youtube (I see myself
drunk in a video on youtube).
* Esta es mi casa de suenos!! (this is my dream house)
* Mira que pedo andaba ayer en la fiesta (look how drunk I was at
* No me acuerdo si me dormir con esta vieja??no se que hacer? (I
can’t remember if I slept with this woman yesterday. I don’t know what
* Santo Dios creo que eres tu!!!! (Oh my God, I think it’s you!)
These messages include an attachment which is a copy of the worm. On
running the file, users are infected with a copy of the worm.
BckPatcher.C on the other hand, is designed to modify the desktop
background, the Windows Explorer background and the folder icons.
Additionally, every time files with certain extensions are executed
(DLL, EXE, JPG or RAR) the worm is run instead of the applications
associated to those extensions.
BckPatcher.C spreads through shared, mapped and removable drives, copying itself to them.
You can see images of the modifications carried out by the worm here:
The Boface.BJ worm reaches computers in a different way: through email
messages with attachments, Internet downloads, files transferred via
FTP, IRC channels, P2P file-sharing networks, etc. Users are unaware of
Once the PC is infected, it takes approximately four hours to trigger
its payload. It does so when users access log into their Facebook
account. Then, it uses the network to send them a message, including the
affected user. http://www.flickr.com/photos/panda_security/3528707512/
On clicking the link users are directed to a page that resembles YouTube
(called “YuoTube”) in which a video “should” be displayed. However, in
order to do so, users are asked to download a player. If users accept,
the fake antivirus is downloaded. Image here:
Once the download is accepted, the fake antivirus is installed on the
computer. It then starts sending users messages informing them their PC
is infected and telling them they should buy a solution. Here is the
interface displayed by one of the fake antiviruses: