Someone you know has just sent you a pic in WhatsApp - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Fake WhatsApp email claims someone you know or your friend sent you a picture, implying it is attached.

Attached zip contains an exe virus or trojan horse.

Spoofs WhatsApp.com in From headers.

Even though the Asprox botnet put WhatApp on the malware map, I don't think these are from Asprox at all.


Subject:  A friend of yours has just sent you a image

[WhatsApp logo]
Hi!

Someone you know has just sent you a pic in WhatsApp. Open attachments to look it up.

2013 WhatsApp Inc

IMG003299.zip (64)

Subject: Someone you’re acquainted with has just sent you a photo

[WhatsApp logo]
Hi!

A friend of yours has just sent you a pic in WhatsApp. Open attachments to look it up.

2013 WhatsApp Inc

IMG003299.zip (64)

Subject: Your friend has just sent you a picture

[WhatsApp logo]
Hi!

Somebody has just sent you a picture in WhatsApp. Open attachments to look at it.

© 2013 WhatsApp Inc

IMG003299.zip (64)

Subject: A friend of yours has just sent you a photo

[WhatsApp logo]

Hello!

Your friend has just sent you a photograph in WhatsApp. Open attachments to to check it out.

Š 2013 WhatsApp Inc

Picture of fake WhatsApp email with attached virus.

Picture of fake WhatsApp email with attached virus, version 2.


Header Examples:

Spoofs whatsapp.com in From headers and gmail or yahoo in Envelope headers.

cbl.abuseat.org classifies these as cutwail spambots.

Received: from [2.88.181.150]
X-Envelope-From: fictionjs47 @gmail.com
From: "WhatsApp" <messages @whatsapp.com>
Subject: Someone you're acquainted with has just sent you a photo

Received: from 114-44-75-87.dynamic.hinet.net [114.44.75.87]
X-Envelope-From: rippersd @yahoo.com
From: "WhatsApp" <messages @whatsapp.com>
Subject: Someone you know has just sent you a photo

Received: from host-92.103-43-115.dynamic.totalbb.net.tw [115.43.103.92]
X-Barracuda-Envelope-From: mescaline91 @yahoo.com
From: "WhatsApp" <messages @whatsapp.com>
Subject: Your friend has just sent you a picture

Received: from [115.133.188.177]
X-Barracuda-Envelope-From: resellgz @yahoo.com
Subject: Someone you know has just sent you a picture
From: "WhatsApp" <messages @whatsapp.com>

Received: from cab16.pndsl.co.uk [80.229.243.221]
X-Envelope-From: sedimentationn64 @gmail.com
From: "WhatsApp" <messages @whatsapp.com>
Subject: Someone you know has just sent you a photo

Received: from [27.54.176.254] X-Envelope-From: iranjk @yahoo.com Subject: A friend of yours has just sent you a photo
From: "WhatsApp" <{messages @whatsapp.com}>

Attachment / Link Samples:

11 December 2013

IMG003299.zip containing IMG003299.exe | VirusTotal report | Malwr.com report | File-Analyzer.net report

7 March 2014

IMG300089222.zip containing IMG300089222.exe

VirusTotal report 

AntiVir 	TR/Dropper.Gen 	
Avast Win32:Trojan-gen
Bkav HW32.CDB.9d12 20140306
ByteHero Trojan.Malware.Obscu.Gen.002
Commtouch W32/Trojan.TIGL-1249
ESET-NOD32 Win32/Spy.Zbot.AAU
Ikarus Trojan-Spy.Agent
Kaspersky Trojan-Spy.Win32.Zbot.rsfr
Kingsoft Win32.Troj.Generic.a.(kcloud)
Panda Suspicious file
Qihoo-360 HEUR/Malware.QVM07.Gen
Sophos Mal/Generic-S
Symantec Trojan.Zbot
TrendMicro TROJ_FORUCON

Malwr.com report 

File-Analyzer.net report 

Contains functionality to record screenshots	Show sources
Contains functionality to retrieve information about pressed keystrokes
Opens a port and listens for incoming connection (possibly a backdoor)
Drops:
C:\Documents and Settings\Administrator\Local Settings\Temp\Ofmuek\doatuk.exe
C:\WINDOWS\system32\drivers\275f1.sys
Binary may include packed or encrypted data
Creates driver files
Creates files inside the driver directory
Contains functionality to inject threads in other processes
Queries the volume information (name, serial number etc) of a device

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity