WARNING: Orkut ID Hacked and Testimonial written in some language...!!

[Kiran.dks]

Today I received email notification that my friend "Raj" has written a testimonial for me. I logged in Orkut and found something bizzare. A testimonial from my friend in some language and a link. I found it strange. My friend Raj revealed that he never wrote a testimonial for me!! He is astonished and so am I too!

The testimonial leads to a website. I clicked on the link. Instead of opening the page, it download a exe file of 145KB. I downloaded it and scanned for spywares. I found nothing. But I am not sure of running the exe.

The whole point in posting this thread is to spread awareness.

Below is the snap shot of the testimonial I recieved. It says it is from Raj(My friend). He never sent it!

[SoFtEcH]

OMG@ this is weird....

[phreak0ut]

Thanks a lot for sharing Kiran. Need to spread this news asap!!

[Kiran.dks]

Ok guys...I did some R&D of the language used. It turned out to be Portugese!!

Here is the translation:

Quote:

Its presence is a gift for the world You is unico(a) and alone you have an equal person Its life you can be what to want that is Alive the days, only one of each time Counts to its bençãos, its problems You will not surpass them, you happen what to happen Inside of you she has many answers Understands, you have courage, either strong you do not impose limits exactly itself... Many of your dreams are for being carried through. E this image below complements everything what you mean:
h**p://urlcut.com/img12
Happinesses 1000!

What the heck is this??? Bloody hacker.

[phreak0ut]

Guys, I had downloaded the malware and submitted the file to virustotal.com, which does a scan for suspicious behaviour with various antivirus. Here is the report which I got in my mail

Quote:

Complete scanning result of "x.exe", processed in VirusTotal at 03/25/2007
13:41:39 (CET).

[ file data ]
* name: x.exe
* size: 147622
* md5.: 3442355b265a863016eeb69e88de7de2
* sha1: d4f1e73f4cbded11701d3bcc92f5feef0506a746

[ scan result ]
AhnLab-V3 2007.3.24.1/20070324 found nothing
AntiVir 7.3.1.44/20070325 found [TR/Delphi.Downloader.Gen]
Authentium 4.93.8/20070324 found [Possibly a new variant of
W32/new-malware!Maximus]
Avast 4.7.936.0/20070323 found nothing
AVG 7.5.0.447/20070324 found nothing
BitDefender 7.2/20070325 found [Trojan.Downloader.Banload.AOO]
CAT-QuickHeal 9.00/20070323 found [(Suspicious) - DNAScan]
ClamAV devel-20070312/20070325 found nothing
DrWeb 4.33/20070325 found nothing
eSafe 7.0.14.0/20070322 found [Win32.Polipos.sus]
eTrust-Vet 30.6.3506/20070323 found nothing
Ewido 4.0/20070324 found nothing
F-Prot 4.3.1.45/20070323 found [W32/new-malware!Maximus]
F-Secure 6.70.13030.0/20070324 found [Trojan-Downloader.Win32.Banload.aoo]
FileAdvisor 1/20070325 found nothing
Fortinet 2.85.0.0/20070325 found [suspicious]
Ikarus T3.1.1.3/20070325 found [Backdoor.Win32.Hupigon.BV]
Kaspersky 4.0.2.24/20070325 found [Trojan-Downloader.Win32.Banload.aoo]
McAfee 4991/20070323 found [New Malware.u]
Microsoft 1.2306/20070325 found nothing
NOD32v2 2143/20070325 found [a variant of Win32/TrojanDownloader.Banload.AOO]
Norman 5.80.02/20070323 found nothing
Panda 9.0.0.4/20070324 found nothing
Prevx1 V2/20070325 found nothing
Sophos 4.15.0/20070323 found [Mal/Packer]
Sunbelt 2.2.907.0/20070324 found [VIPRE.Suspicious]
Symantec 10/20070325 found [Infostealer.Banpaes]
TheHacker 6.1.6.080/20070323 found nothing
UNA 1.83/20070316 found nothing
VBA32 3.11.2/20070324 found [suspected of Downloader.Banload.15 (paranoid
heuristics)]
VirusBuster 4.3.7:9/20070325 found [Packed/NSPack]
Webwasher-Gateway 6.0.1/20070325 found [Trojan.Delphi.Downloader.Gen]

[ notes ]
packers: NSPACK
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that
are deemed suspicious through heuristics.

So, be careful of this malware and start deleting the testimonials/messages etc.

[Cool G5]

I also got a testimonial from my friend in some unknown language.It was also similar to the above posted one.He also is sure that he did not send it.

[Pathik]

all this has been happening since long back... did no1 of u know this???... just ignore/delete such msgs/testi/scraps...

[Tech Geek]

even i recieve it once a weeek
just ignore it and delete it

[Kiran.dks]

I have received many such scraps. But this is the first time it came as a testimonial using my friend ID. Many others might come across this in future. Please see that you don't click on such links.

Thanks to phreak0utt for posting the report here. I too sent it to VirusTotal earlier this evening. Still waiting for the report.

This does throw some light on the capabilities of AntiVirus Products.....
Avast! and AVG has found nothing....now that's strange considering the popularity of these too antivirus products.
AntiVir, the less popular one has detected it.

[Harvik780]

Ya,thanks for the update.I have been using avast for quiet a while but this has made me think again on searching for better protection.

[ax3]

just DELETE it ! ! !

[neilsequeira]

you idot lol thats a porn bot who wants to kill you ya i mean it its porn bot which is a infilitration in design. go it ? or am i too technical . its a virus or a trojan written by some idiot (Custom made)

**** the intelligent me download this shidd from some orkut freind who was given a testimonial by some fake Orkut ID one pc in RWW is infected by virus because of me and the dont know. the virus was some file - like pic.jpg.exe

[Kiran.dks]

Quote:

Originally Posted by neilsequeira

you idot lol thats a porn bot who wants to kill you ya i mean it its porn bot which is a infilitration in design. go it ? or am i too technical . its a virus or a trojan written by some idiot (Custom made)

**** the intelligent me download this shidd from some orkut freind who was given a testimonial by some fake Orkut ID one pc in RWW is infected by virus because of me and the dont know. the virus was some file - like pic.jpg.exe

Do u have any kind of forum ethics? I have seen u always barking and messing up here. Your act against some of our reputed members has been very rude and senseless. Learn some ethics and enter the technical forum.

[shantanu]

r u sure its in portugese..

[Kiran.dks]

Yes. I am sure it is portugese. Hence the translation...

[ssdivisiongermany1933]

I have stopped using orkut , waste of time

[Tech.Masti]

Thanks for the information friends.....

[phreak0ut]

@Kiran-Thanks a lot for the translation. I posted the report in such excitement that I overlooked whatever was posted before. Thanks for letting us all know. Dunno what these guys get by sending such malwares. Well, I'm safe on linux

[alok4best]

Quote:

Originally Posted by neilsequeira

you idot lol thats a porn bot who wants to kill you ya i mean it its porn bot which is a infilitration in design. go it ? or am i too technical . its a virus or a trojan written by some idiot (Custom made)

**** the intelligent me download this shidd from some orkut freind who was given a testimonial by some fake Orkut ID one pc in RWW is infected by virus because of me and the dont know. the virus was some file - like pic.jpg.exe

Is this Guy trying to act smart..Dude get a life...this is not yahoo chat where u can use chat lingos..whatever u want to say,write in human readable form. ,if u can write simple English at all...and dont think u r ultimate geek ever born on Earth..

[Kiran.dks]

BTW, here are details of the trojan.
It is a new one discovered on 04/01/2007. Avast! and AVG are not fast in providing rapid updates I guess...they missed the trojan.

So friends, be careful. It is a new one. Most paid versions are detecting it. But not all of free antivirus versions.

Name: TR/Drop.Delf.YX detected as TR/Delphi.Downloader.Gen by AntiVir
Date discovered: 04/01/2007
Type: Trojan
Subtype: Dropper
In the wild: No
Reported Infections: Low
Distribution Potential: Low
Damage Potential: Low to medium
Static file: Yes
File size: 109.056 Bytes
MD5 checksum: 7084ec1ce75b6a3521df3e224d5421c7
VDF version: 6.35.01.100 - Wed, 16 Aug 2006 09:57 (GMT+1)
IVDF version: 6.35.01.101

Aliases:
• Kaspersky: Trojan-Dropper.Win32.Delf.yx
• Sophos: Troj/Delf-DKS
• Grisoft: Dropper.Generic.GKO
• Eset: Win32/TrojanDropper.Delf.YX
• Bitdefender: Trojan.Downloader.Delf.ST

Programming language:
The malware program was written in Delphi.

More Details

[Maverick340]

Yep . This happened to two of my friends too. The main problem is how are the accounts being hacked? This is a very grave problem. As users keep trying to reprot instances of Account being Hacked to Google using the contact us page on orkut.

[alok4best]

Accounts are being hacked because their respective owners are not alert.U cud be using a Comp on which Keylogger is installed..or u can be a victim of phising,fake web pages,trojans,viruses..etc etc...

[mehulved]

Always be caredul when using links from tinyurl, snipurl, urlcut and such. If possible ask the person who sent you the link, if that link has been actually sent by them and what it points to and maybe even ask for original link rather. These url snipping services have been misused a lot.

[ax3]

1 good lesson 2 b learnt : NEVER PUBLISIZE UR ORKUT ID .......


whot say ppl ?

[Pathik]

Quote:

Originally Posted by tech_your_future

Always be caredul when using links from tinyurl, snipurl, urlcut and such. If possible ask the person who sent you the link, if that link has been actually sent by them and what it points to and maybe even ask for original link rather. These url snipping services have been misused a lot.

these links r not cloaked...
even if u click on them than after some time wen the page just starts to load u can see the original url in the status bar..

[crystal_pup]

its a spam ya...

[Maverick340]

Quote:

Originally Posted by alok4best

Accounts are being hacked because their respective owners are not alert.U cud be using a Comp on which Keylogger is installed..or u can be a victim of phising,fake web pages,trojans,viruses..etc etc...

Nahi yaar. These tow friends of mine arent simpletons. They wouldn't have left passwords astray. Theres is something more to it .

[neilsequeira]

about forum ethics you people should learn what you are doing. i dont want to speak more. i seen the whole forum and this thing has not helped me in anything. i am sorry for this but i am quitting

i never recieved such things , since i joined orkut