Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs


by FaceTime Security Labs

Foster City, Calif – June 19, 2006 – Today, FaceTime Security Labs announced the discovery of a worm that steals users’ banking details, usernames and passwords. The worm, known as MW.Orc, is propagating through Orkut, Google’s social networking site, as users launch an executable file disguised as a JPEG. Google has a temporary fix in place and encourages Orkut users not to open suspicious files.

“Sometimes there is a false sense of security and trust that an end user has in a ‘gated’ community such as Orkut. This is similar to what we see happening in instant messaging,” said Chris Boyd, security research manager for FaceTime Security Labs, and globally-recognized Internet security expert.

The initial executable file that causes the infection installs two additional files on the user’s computer. These then e‑mail banking details and passwords to the worm’s anonymous creator when infected users click on the “My Computer” icon.

The infection spreads automatically by posting a URL in another user’s Orkut Scrapbook, a guestbook where visitors can leave comments visible on the user’s page. This link lures visitors with a message in Portuguese, falsely claiming to offer additional photos. The message text that carries an infection link can vary from case to case. Orkut is popular among Brazilian Internet users.

In addition to stealing personal information, the malware can also enable a remote user to control the PC and make it part of a botnet, a network of infected PCs controlled by a hacker. The botnet in this case uses an infected PC’s bandwidth to distribute large, pirated movie files, potentially slowing down an end-user’s connection speed.

pqnelhleyy ac1f28db 638ef267

FaceTime Security Labs researchers have posted commentary and recommendations concerning MW.Orc at http://blog.spywareguide.com/2006/06/datatheft_malware_targets_goog_1.html, including a video that shows how the malware sends personal data back to the attacker. FaceTime Security Labs is the threat research division of IM and Greynet security leader FaceTime Communications.

Threat name: MW.Orc

Threat type: Malware

Risk: Medium

Who is affected: Orkut members and visitors using Windows XP

Additional information: The initial executable file (Minhasfotos.exe) creates two additional files when activated, winlogon_.jpg and wzip32.exe (located in the System32 Folder). When the user clicks the “My Computer” icon, a mail is sent containing their personal data. In addition, they may be added to an XDCC Botnet (used for file sharing), and the infection link may be sent to other users that they know in the Orkut network. The infection can be spread manually, but also has the ability to send “back dated” infection links to people in the “friends list” of the infected user.

FaceTime Customers Are Protected Against This Threat
FaceTime’s RTGuardian and GEM customers are protected from this exploit if they have auto-update features enabled. FaceTime’s X-Cleaner customers should download the latest update and scan their PC. FaceTime Enterprise Edition and IMAuditor customers can proactively block these malicious threats and prevent infections before they happen by utilizing the auto-update features to block downloads of the specific file types associated with the threats.

Unless otherwise noted this article is Copyright © 2022 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

Read other articles (back to full list)

Help with the BUST!
Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
Recent Blog Posts
Notice: Undefined index: version in /data/www/spywareguide/magpierss/rss_parse.inc on line 228
  • A Year In Security
  • Youtube Comment Bot Spams In Waves
  • VGA Awards Trailers Used As Bait For Spam Offers
  • Fake Visa Electronic Report Serves Up Zbot Data Stealer
  • Banned Console Owners Beat The System - With Stickers
  • Spot The Hack
  • The Futility Of EULAs
  • Auto Whaler Spears Phishers
  • Fake Porn Grabbers Snag Nothing But Malware
  • Console DDoS Botnets - A Thriving Industry
  • Recent Modifications
    2022-11-28  Adult Networks/Services
    2017-2-10  Adult Hosts
    2016-3-30  CoolWebSearch
    2015-9-29  Malicious URLS
    2015-5-19  Dialers
    2015-1-5  Email Threats
    2013-7-20  Date Manager
    2013-4-10  BeeBus
    2012-12-18  JT.Moonwalk
    2012-12-18  Sadbiz

    Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

    © Copyright 2007, FaceTime Communications, Inc. All rights reserved.