Paris Hilton is fashionable. This girl does a bit of everything, she’s a model, an actress, a singer… and she hasn’t only become the target of paparazzis but also of the computer attacks…
Several months ago the image of Paris was being used in thousands of spam messages which contained hot videos of this celebrity. However, this was too good to be true and it was actually malware which installed rogue AVs on our computers.
This time, cyber-crooks have gone further and Paris Hilton’s official website has been attacked. When accessing this web page, a popup window appears offering visitors the option to download the last update of flash player.
When the downloaded file is run, it ends the smss.exe service, which belongs to the Windows NT Session Manager Subsystem. Then, it drops a file in system32 under the name twext.exe, which hooks to the winlogon.exe process and modifies the following Windows Registry entry in order to be run whenever Windows is started:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon "Userinit"
Old type: REG_SZ
New type: REG_SZ
Old data: C:WINDOWSsystem32userinit.exe,
New data: C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twext.exe,
It is continuously trying to connect to the website you69tube to obtain the file flvideo/.a/.z/cfg.bin, which is no longer available, and it also launches connections to 126.96.36.199.
It creates more files and directories, all of them hidden, in
%systemroot%twain_32user.ds and local.ds (encrypted files)
C:Documents and SettingsNetworkServiceApplication Datatwain_32local.ds
This malware has been detected as Trj/Sinowal.VYO.
Now the question is: how long would take cyber-crooks to use once again the image of this celebrity? I suppose that it wouldn’t be long.