Sophos Cloud Optix
Today was a most unusual day; I analyzed two malware samples which contained religious themes in two completely different contexts. Before I go ahead and talk about these two samples, I want to apologize if anyone is offended by my blog.
W32/Autorun-DP is a malware which targets an Indonesian audience. It is a run-of-the-mill Autorun worm which copies itself to removable storage devices and into different directories on the victim computer. After letting it run for about a half hour, it flashed the following message box asking “Are you Muslim?”:
Pressing “Bukan” which I’m assuming means NO in Bahasa Indonesia, caused the malware to terminate (interesting!?!). Not wanting to wait another half hour, I brute forced the worm with OllyDbg and this time pressed “Ya”. This prompted the next message box which read “Sudhakah Anda Shalat?”. This translates to “Have you prayed?”. Pressing”Ya” brought up this message box:
This roughly translates to “If only God shows forgiveness to you”. The malware did not terminate as before. Is this worm being partial to people of other religions? The answer is NO. The payload was delivered when the worm first executed; impartial to the religion of the user.
Our next malware W32/VB-DZJ is yet another worm. This one copies itself to network shares and creates a whole bunch of text files on the victim computer with the extension “.pdf” e.g. “Spiderman 2.pdf”, “Java Telephony.pdf”. It doesn’t flash any religious messages like W32/Autorun-DP. What is strange is the presence of a large number of passages from the Bible embedded in its code:
This was certainly very strange and analysis of the file showed that the function referencing those passages is never executed. Going over the passages, there is no singular message derived; the passages all talk about different things. This was certainly confusing and cryptic. Checking our databases showed that we have seen a similar sample W32/VB-CUA in the past with the same Bible passages but slightly different behavior. I am not a psychologist, but I assume the malware author is deeply religious?