A new worm that attempts to steal online banking credentials is propagating on Google's social-networking Web site.
The worm, dubbed MW.Orc, primarily targets Brazilian users of Google's Orkut Web site. It uses a message in Portuguese to entice people to click on a file that is disguised as a JPEG image, FaceTime Security Labs said in a statement.
The initial file, called "minhasfotos.exe," creates two additional files on a user's system, "winlogon_.jpg" and "wzip32.exe," . When the user, after the initial compromise, clicks on the "My Computer" icon in Windows , an e-mail with his or her personal data is sent to the anonymous attacker.
Additionally, the compromised computer may be added to a network of hijacked PCs, known as a botnet. The pest also tries to propagate by placing a malicious link on the profiles of people in the Orkut user's network.
Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement. "We are working on a more permanent solution for users to guard against these malicious efforts."
For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.
Never bother to click on any links that sounds really unfamiliar to you even if it comes from your closest friend.
Here is how the scrap will look like.
“Opa, tudo bom? Eu criei um vídeo com uma seleção de minhas fotos novas, clica aí pra ver - h t t p :// y e p . i t / ? i k s t t v - Estão bem legais!!! “
What should you do?
Simply delete the scrap! As simple as that..
How does it spread?
It spreads through infected contacts. An orkut account gets infected once you click on the link. The Trojan posts a message in your friend's scrapbook area of the Orkut system. The message text is chosen by the attacker and can be a random sentence written in Brazilian Portuguese, such as the following:
Message example 1:
Opa, tudo bom? Eu criei um video com uma selecao de minhas fotos novas, clica ai pra ver - [MALICIOUS_LINK] - Esta bem legais!!!
Message example 2:
Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [MALICIOUS_LINK] - Sei que vai gostar
If users click on the link, a malicious file is downloaded, which is a copy of Infostealer.Orcu.
When Inforstealer.Orcu is executed, it performs a series of actions and infects your system.
What does this scrap in Portuguese mean anyway? I tried using a translator and this is what I got…
Opa, all good one? I created a video with an election of my photos new, clica pra to see there - h t t p :// y e p . i t / ? i k s t t v - I am well legal!
Name of the Trojan: Infostealer.Orcu
Norton’s Description: Infostealer.Orcu is a Trojan horse that attempts to steal confidential information, such as bank and Paypal accounts. It may arrive as a message spammed across the Orkut network.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Hackers are trying to steal Orkut users' bank account information by inserting an automated information theft worm, according to security researchers. The worm, known as MW.Orc, is propagating through Orkut when users launch an executable file disguised as a JPEG.
Google has a temporary fix in place and encourages Orkut users not to open suspicious files.
"We are aware of this issue and have a temporary fix in place. We are working on a more permanent solution for users to guard against these malicious efforts," said a representative from Google in a response emailed to Google Watch.