February 2, 2012

Doctor Web—the Russian anti-virus vendor—warns users of a Trojan.OneX program that uses infected machines to send spam via Facebook and messaging clients. Currently, two modifications of this Trojan horse with similar features are found regularly in the wild. Given the spreading scheme the number of victims can be extremely large.

Trojan.OneX runs only under 32-bit Windows versions. When run in a 64-bit system, it stops working after downloading a text file from a remote server. Once launched on the infected machine, Trojan.OneX.1 checks if its copy is already present in the system, and then decrypts the remote server address it will use to download a special text file. This file contains several lines in English such as “hahaha! http://goo.gl [...]. jpeg “, with which the Trojan horse substitutes messages the user tries to post to Facebook. Message text is replaced by strings from the file only in the chat mode. In such cases actual messages sent from the infected system are blocked. Every hour, the Trojan horse downloads a new configuration file from a remote server.

Trojan.OneX.1 looks for running processes with the names firefox, iexplore and IEXPLORE in the system, and, if found, injects its code into the processes. Then it takes control of functions responsible for sending messages.

Soon after the first modification of the Trojan horse had been discovered, Doctor Web's virus analysts got hold of another malware sample dubbed Trojan.OneX.2. Unlike the first version, the second modification uses popular messaging software processes such as skype, pidgin, aim, msnmsgr icq.exe, yahoom, ymsg_tray.exe, googletalk, xfire.exe instead of browsers. The mouse and keyboard connected to the infected system are blocked when a message is being sent. Unlike Trojan.OneX.1, Trojan.OneX.2 can parse configuration files in Unicode.

Messages sent by the Trojan horses often contain links to malicious phishing sites. One such site mimics the RapidShare design. Users are prompted to download a JPEG image which in fact is a zip-archive containing Photo14.JPG.scr—an executable file (Trojan.Packed.22289) that incorporates BackDoor.IRC.Bot.1446. This malicious program not only gives attackers access to the infected computer and steals confidential data, but also allows intruders to run various commands on the infected computer, download and install other applications. Notably: Doctor Web registered cases when Trojans BackDoor.IRC.Bot was used to spread Trojan.OneX, which, in turn, contributes to the further spread of BackDoor.IRC.Bot.

The signatures of these malicious programs have been added to the Dr.Web virus database so users whose systems are protected by Dr.Web anti-virus software may rest assured that their machines are well protected.