Anti-P2P Malware abuses victims

Researchers at SophosLabs have provided detection for a new variant of the Pirlames family of Trojans.

When run Troj/Pirlames-C will search the harddrive for files with extensions including the following:

EXE, BAT, CMD, INI, ASP, HTM, HTML, PHP, CLASS, JAVA, DBX, EML, MBX, TBB, WAB, HLP, TXT, MP3, XLS, LOG, BMP

Troj/Pirlames-C will delete any such files it finds, replacing them with image files of the same name, but with an added (double) BMP extension. These images are cartoons with Japanese messages.

Troj/Pirlames-C will also attempt to download and run malware detected as Troj/Sera-A and Troj/KillFil-KI.

Images it replaces a victims files with can be seen below.

Note: The language of the text has been censored slightly to remove inapropriate language.

prilamec1.jpg

Why don’t you stop the P2P? Do you really want to be killed that much?

prilamec2.jpg

Hang on a minute, geek …

prilamec3.jpg

It might seem rude to say this but …Might you be **?

Whilst the image displayed may be seen as cute to some and its message of anti-piracy may side with the ‘good guys’, this Trojan is extremely malicious. The Trojan will infect a computer indiscriminately and maliciously overwrites many files on a victim’s computer. This may render the computer inoperable. 

Below is a screenshot of a folder from an infected computer.

prilamec4.jpg