Although we’ve not seen too many actual attacks from this, it’s been widely reported in the media, perhaps as it’s quite a novelty these days to see a worm spreading in this way.

It spreads itself as an executable in email, but disguises itself as a PDF file, when executed it attempts to download some other malicious files on the victim machine, and drops some files in an attempt to let the worm spread via autorun.

K7 Total Security detects this worm as  ”Emailworm (0019e4ae1)” (yeah, it’s that uninteresting!)

Full information is here:

http://viruslab.k7computing.com/index.php?option=com_k7virus&view=showvirus&Itemid=1&id=818

If you’re interested in more, Dan Goodin has written a short piece about the worm on The Register http://www.theregister.co.uk/2010/09/10/email_worm_spreading/

Andrew Lee
CTO K7 Computing

In recent times, the quake at Haiti was used as a lever to ask people to visit a link to help. Of course if a mail is well-crafted we tend to see how we can help and then the usual means of  exploiting are used: ranging from asking you to make a ‘small’ donation with your credit card to stealthily making you download malware.

If you are from Chennai, Tamil Nadu (INDIA), you will be aware of a sleazy scandal involving a fake godman. To cut a long story short the young godman was caught on tape in very compromising acts with an yesteryear actress–would have been nobody’s business but for the godman’s usual preaching around celibacy and how he has achieved ‘powers’ through the practice of the same.

Anyway, our interest is the fact that currently if you were to search for the name of the people involved you are being directed to pages that host Fake Anti-Virus products.

So beware, of fake swamijis and fake AVs!

The name probably brings out images of a Hindi movie or a school nickname. Well, it is Indian alright. But it is a rarity–a malware that originated out of India.

In fact, there is some doubt as to if it is really intended to be malware–more on that later.

Chronologically, Cool Rahul was spotted around mid December 2009 and in about a few days’ time K7 Computing products were updated to detect and remove it. It appears to be a variant of an older VBScript spotted in mid-January 2009.

Let us first highlight some major characteristics and then look at our speculation on its origins:

1. It claims to be an antivirus program. In fact it does clean up a slew of well known malware( “smss.exe”, “killer.exe”,”Funny UST Scandal.exe”,”iph.exe”,”scvvhsot.exe” etc)
2. It changes the Internet Explorer’s Title Bar to “LORD RAHUL COOL” and resets the default home page to WWW.nyd.zoomshare.COM
3. It makes itself run on startup by attaching itself to userinit.exe
4. It scans removable devices regularly and attempts to propagate itself.

So there you have it. A piece of VBscript that does remove programs that are clearly malware; but propagates itself surreptitiously and modifies the IE Toolbar without user permission. Like we noted earlier CoolRahul is being detected and removed as malware. That said, we believe that it was written more as a college project than with malicious intentions. The level of artlessness in propagation and the rather juvenile alteration to the IE title bar lend some weight to this belief. Of course, that does not mean we welcome Mr Rahul’s program on to our machines. After all this code can and we are sure eventually will be modified to act more maliciously. But as it stands it looks like a somewhat misdirected programming effort.

A complete list of files it modifies and affects is available in the “Notes on Cool Rahul” article in the Tech Notes Section. The note also explains the details of the earlier VBScript Cool Rahul is based on.