For the second time recently, another app in Apple Store is warned to be virus. The first time was an app known as “Find and Call” which automatically sends users’ contact book to its developer. For the second time, a member whose nickname is “deesto” reported that “Instaquotes Quotes Cards for Instagram” – a free app on the iTune store – was detected by ClamXav antivirus software as “Worm.VB-900″. (http://reviews.cnet.com/8301-13727_7-57478793-263/windows-malware-slips-into-apples-ios-app-store/)
Since Apple once stated that “impossible to get a virus on iOS”, I immediately downloaded the app to study whether it was true.
It then turned out that “Instaquotes Quotes Cards” did contain a virus. I extracted the installation files and scanned them with Bkav. Checking the result, there was two files – FBDialog.bundle.exe in folder “FBDialog.bundle” and images.exe infolder “images.exe” – infected with a virus which was detected by Bkav as “W32.DaknongYME.Worm”.
It is so amazing to me that the detected virus appeared since 2007 and only able to run on Windows platform. How did it present in an installer of an app which only runs on MacOS?
Things seemed to be clearer when I had a look at the materials of “W32.DaknongYME.Worm” that I analyzed a few years ago. Upon infecting a computer, DaknongYME (detected as Mal/CoiDung-A by Sophos and Win32/VB.CB by MSE) will self-replicate by copying itself to all folders on the computer and rename itself same as the folders’ name it is copied to. Matching with the symptom of the folder tree inside the installer of Instaquotes Quotes Cards, we can affirm that the developer of “Instaquotes Quotes Cards” was using a computer which was installed Windows OS and infected with DaknongYME. The virus had infected the folder containing source code before it was moved to MacOS for packaging. It is obviously an unfortunate accident of the developer.
As you can see, in such an open world with multi-connections as today, the boundaries between operating systems are getting narrower.
Technical information of the virus
– Writes value:
dc2k5=C:\WINDOWS\SVIQ.EXE
dc=C:\WINDOWS\dc.exe
Fun=C:\WINDOWS\system\Fun.exe
Into Key [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
load=C:\WINDOWS\inf\Other.exe
run=C:\WINDOWS\system32\config\Win.exe
Into key [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
Shell=Explorer.exe C:\WINDOWS\system32\WinSit.exe
Into key [HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon]
To execute the virus at Windows start up
– Spreads via USB drives, shared folders, Yahoo! Messenger.
– Downloads files from the following links to update itself and contents of messages sent via Yahoo! Messenger
http://dungcoi[removed].googlepages.com/Fun.exe (link died)
http://dungcoi[removed].googlepages.com/ND.txt (link died)
Nguyen Cong Cuong
Senior Malware Researcher
Leave a reply
