Fake Twitter spam - Merond Worm

October 6, 2009

SonicWALL UTM Research team observed a new Merond worm variant being spammed in the wild via fake Twitter invitation e-mail messages. The e-mail message looks like below:

Sender: invitations@twitter.com [Spoofed sender address]

Subject: Your friend invited you to twitter!

Attachment: Invitation Card.zip [ Contains document.doc (spaces) .exe ]

The malicious executable inside the attachment is the new mass-mailing worm variant and the file looks like:


A sample e-mail message is shown below:


The worm when executed performs following activities on victim machine:

  • Injects a malicious executable into multiple system files on the victim machine some of which are listed below:
    • (System Folder)attrib.exe
    • (System Folder)bootcfg.exe
    • (System Folder)calc.exe
    • (System Folder)chkdsk.exe
  • Determines the IP address of the victim machine by sending a GET request to whatismyip.com
  • Emails copy of itself to the e-mail addresses harvested from the victim machine
  • Collects and sends back sensitive information from the victim machine to the predetermined IP address on port 65520. A sample encrypted packet is shown below:


  • Downloads rogueware applications on victim machine.

This malware is also known as TR/Buzus.caro [AntiVir], Worm:Win32/Prolaco.gen!C [Microsoft], and Worm:W32/Prolaco.D [F-Secure].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Merond.V (Worm) signature.