nsl-school IM Worm

I recently received some messages with malicious links through Yahoo messenger from a friend.

These were the messages:
(I have replaced nsl-school.org with NSL-LINK and myglobal-news.com with MYGLOBAL-LINK.)
DO NOT RECONSTRUCT NOR CLICK ON THE LINKS

(10/27/2006 4:10:33 AM): never click into the links like something in this image http:// /dontclick.jpg !!!
(10/27/2006 4:11:12 AM): Screenshot of new windows version _ Windows Vista http:// /vista.jpg so cool
(10/27/2006 4:11:55 AM): Screenshot of new windows version _ Windows Vista http:// /vista.jpg so cool
(10/27/2006 4:12:42 AM): 1 of my vacation pictures http:// /vacation1.jpg
(10/27/2006 4:13:55 AM): Miss World 2006: http:// /MissWorld.jpg !!
(10/27/2006 4:15:09 AM): My pics http:// /mypics.jpg << (10/27/2006 8:50:59 AM): wtf is this ? wanna give me a shit ? http://NSL-LINK/?id=news Breaking news : school girls are kidnapped by the terrorists !! http://MYGLOBAL-LINK/?news_id=18388 (10/27/2006 9:04:21 AM): damn, she is so cute http://NSL-LINK/?id=miss_world After googling this for sometime I found out that this seems to be the activity of a worm which is affecting Asian users of Yahoo Messenger. Trend Micro calls this worm as WORM_SOHANAD.C.

Among the messages I received, you would notice that some were incomplete. Perhaps Yahoo is blocking these links, but I am not too sure if that is true.

=====================================
Trend Micro in their report on this worm mention:
In addition, when an Internet Explorer window having the title bar Mesothelioma, Asbestosis & Lung Cancer Information - Microsoft Internet Explorer is opened, this worm changes the said name with null.

(Rare Cancer + Google AdSense + Litigations + advertisements) Fraud:
Following the lead of 'Mesothelioma' I got to know of the findings of FaceTime Security Labs on their blog 'blog.spywareguide'. Their article on the very sophisticated KMeth worm can be read here.

This analysis caught the attention of a large number of news portals on the web and the story was splashed almost everywhere. The article shows how sophisticated the malcode writers' business model is. A real complicated fraud. If you read and understood the complicated fraud model, you would recall that depending on the country the affected user is, the page will display differently.

I guess that is what Trend Micro was describing when they said that Mesothelioma related page titles are changed to null. This of course is my attempt to link WORM_SOHANAD.C and Worm KMeth together. A google for 'nsl-school' revealed that most of the people who complained about this worm were Asians. If KMeth was designed primarily for the US then, why aren't there complaints/rants from US users?

=====================================
Anti-Virus Vendors and blocked URLs:
The only way an user affected by a virus/worm can know more about the virus/worm is by using a search engine. In this case, of all the words in the messages that I received, "nsl-school" is a characteristic word. So searching for this word on the web seems the best option. But alas, anti-virus vendors do not specify the link completely in their pages! As in this instance the anti-virus vendor has deleted the complete links. How then will an affected user know more?

Trend Micro's English language page on this worm does not mention "nsl-school" at all. While in their Chinese Version (Google translated Chinese version) for the same worm they forgot to block the URL in one instance which luckily allowed me to confirm that the messages were indeed sent by the SOHANAD.C worm.

, ,