Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

MSN Messenger Malware?

from [Mikey] Network Security [Permanent Link]
Subject: MSN Messenger Malware?
Date: Fri, 15 Apr 2005 12:20:31 +1000 
Hi all.

I haven't been following the virus scene very closely of late so this may be an old one. Still, I wouldn't mind if someone could help me identify if it is and if it isn't, bring it to the attention of the proper authorities.

Firstly, a bit about the environment; I am running MSN Messenger v6.2.0205. Yesterday, a colleague sent me a message that says this;

[05:29:29 PM] Colleague: its you!
[05:29:30 PM] Colleague:
              http://hydr0.net/pictures.php?email=email@hotmai
              l.com

I have changed his real alias to "Colleague" and my MSN IM registered email address to email@hotmail.com for our protection (and yes, its different to the one I am using to send this message).

Now, normally, you don't see this kind of message except in spam messages. But if you click on that link, it will download and execute an executable (on Windows XP SP2, it will ask you about it).

Of course, this is my own trusted colleague who is normally very conscientious in keeping viruses and malware out, especially from spam email.

When you let it execute, it installs two files into the C:\Program Files\999 directory.

It then executes one of these executables and sends this message to EVERYONE on your MSN IM contact list that is NOT offline.

The message is the same as above but the email address is the same one as the recipient's email address. For example, the program will send a message to Colleague2 who has a registered MSN IM email address is "email2@hotmail.com". This message to her (from you) will look like this;

[05:29:29 PM] Colleague2: its you!
[05:29:30 PM] Colleague2:
              http://hydr0.net/pictures.php?email2=email@hotmai
              l.com

So this epidemic spreads.

The motive? I can only think that the owner of http://hydr0.net is collecting email addresses. He or she is using MSN Messenger to proliferate this executable to catch users offguard, while collecting more email addresses as this message spreads.

The website is still active and there must be a registered domain owner so I would be interested to hear if anyone can dig further. ;-)

BTW - I think I have cleaned it out by deleting the C:\Program Files\999 directory and its files.

Look forward to hear some feedback on whether this is an already identified malware or not and where I can find more information on it (like its name), if it has already been identified.


Cheers,

Michael.

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: WinCE.Dust Remover Concept, Ratter
Next by Date:  Fwd: MSN Messenger Malware?, Mikey
Previous by Thread:  WinCE.Dust Remover Concept, Michael
Next by Thread:  RE: MSN Messenger Malware?, Neil A Trevains
Indexes:  [Date] [Thread] [Top] [All Lists]