Home / malwarePDF  

Worm:OSX/Tored.A


First posted on 06 May 2009.
Source: SecurityHome

Aliases :

There are no other names known for Worm:OSX/Tored.A.

Explanation :

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

Additional DetailsWorm:OSX/Tored.A is a worm that propagates through infected e-mails and is capable of functioning as a backdoor and keylogger.

The worm is compiled using RealBasic and has functions pertaining to glink terminal emulator.

Installation

Tored.A distributes copies of itself in infected e-mails. The e-mails have the following characteristics:

The "Subject" text is:


• For Mac OS X ! :(If you are not on Mac please transfer this mail to a Mac and sorry for our fault :)
The "From" field is:


• AppleFu(2 random letters)cker@mail.(random letters)
The body text can be any of the following:


• Hi
• Hey
• Hello
• y0
• Selem alaykom
• Friend ! :) ,
• friend
• dude
• man
• you
• fucky :D , just kidding,so
• wassup ?
• how it is going
• I missed you ! ^^
• what is up there?
• what is new ?
• how are you
• sup?
• Traducting and decrypting message .... :
• Traducting and decrypting message .... :Sir , Your Text !
• Traducting and decrypting message .... :Error For Sending ,It Is Important to Get Your Data
• Traducting and decrypting message .... :Chek It
• Traducting and decrypting message .... :Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement
• Traducting and decrypting message .... :Check
• Traducting and decrypting message .... :Your Identidie Has Been ....Chek Attchement For More Information
• Traducting and decrypting message .... :You Has Been Comprimased , updating tools are as an attachement !
• Traducting and decrypting message .... :Credi Money Has Been Sent As A Binary File for thanks for the updating, Chek
• Traducting and decrypting message .... :New update tools
• Traducting and decrypting message .... :Chek your update application !
• Traducting and decrypting message .... :Your information was ...
Once executed, the worm copies itself to the startup items folder to ensure that it executes automatically at each system startup.

The worm also checks for the any virtual volumes connected on the infected machine.

Activity

On execution, Tored.A listens to TCP port 9999.

If it is able to make a remote connection, it can then perform the following actions:


• Update itself
• Perform DDOS
• Spam
• Download and execute Additional Files
• BOT functionalities
Once connected, Tored.A can also forward system information to the malware author(s), such as:


• IP address
• Mac Address and Subnet, with the text "Infected and boted by OSX.Raedbot.B++"
Tored.A also queries the Keychain application and performs the following:


• Gets the attribute
• Gets the Item
• Lock and Unlock an Item
• Delete an Item

Propagation

To find e-mail addresses to send the e-mail messages to, Tored.A queries the local Address book and retrieves the following information:


• Contact
• Group
• Jobtitle
• Bday
• PhoneNumbers
• Homepage
• EmailAddresses
• AIMScreenNames
• JabberScreenNames
• MSNScreenNames
• YahooScreenNames
• ICQNumbers

The worm uses its own SMTP engines to send e-mails to the harvested addresses. To perform its mass mail, the worm connects to the following SMTP servers:


• smtp.9online.fr
• mail.club-internet.fr
• mail.diligo.fr
• smtp.free.fr
• smtp.infonie.fr
• smtp.libertysurf.fr
• smtp.nerim.fr
• mail.cybercable.fr
• mail.oreka.com
• smtp.wanadoo.fr
• mail.worldnet.fr
• smtp.laposte.net
Once it is connected, it sends the following Information:

The "From" field can be any of the following:


• br@fh.tn
• av@av.tn
• fucker@fuck.fu
• ser@jhfd.it
• Ma@ry.am
• apple@service.tn
The "Subject" text can be any of the following:


• Hi , Chek
• Sir , Your Text !
• Error For Sending ,It Is Important to Get Your Data
• Chek It
• Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement
• Check
• Your Identidie Has Been ....Chek Attchement For More Information
• You Has Been Comprimased , Chek !
• Credi Money Has Been Sent As A Binary File , Chek
• New porn tools
• Chek your XXX application !
• Your information was ...

Last update 06 May 2009

 

TOP