Partner Cyberoam* brought this one to our attention. The kamasutra virus is being transferred in the form of a downloadable PPT/PPS file link. When the “presentation” (actually an exe file) is opened, users are treated to “illustrated” Kama Sutra positions. In the background the malicious code installation is started along with several other activities.
Commtouch’s Command Antivirus detects the file as W32/Backdoor2.HDIT. We ran the file through our sandbox which gave the following report:
- Files Created:
- C:Documents and SettingsuserLocal SettingsTemp1.tmpReal kamasutra.pps
- C:Documents and SettingsuserLocal SettingsTemp1.tmpReal kamasutra.pps.bat
- C:Documents and SettingsuserLocal SettingsTemp1.tmpacrobat.exe
- C:Documents and SettingsuserLocal SettingsTemp1.tmpjqa.exe
- Executes: “C:Program FilesMicrosoft OfficeOFFICE11POWERPNT.EXE” /s “C:Documents and SettingsuserLocal SettingsTemp1.tmpReal kamasutra.pps” - this is the part where (lucky?) recipients actually get to the see the PowerPoint file.
- Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
- Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
- Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users.
- Executes: cmd /c “”C:Documents and SettingsuserLocal SettingsTemp1.tmpReal kamasutra.pps.bat” “
- Creates a hidden folder: c:windows~hpcc1230
- Modifies the registry not to show hidden files.
Yes… we’ve included a screenshot (but this is a family-oriented blog so we made it less interesting).
*Cyberoam is a division of Elitecore Technologies and the innovator of identity-based Unified Threat Management (UTM) solutions.