Im almost postive this is a variant of the Kelvir Virus
I have been watching this virus closely becauser i have got it before
I Remeber finding the same site you typed was in the explanation of a
variant of the Kelvir Virus
Althought Symantec antivirus company has detected this variant, Virus
defintions have not been made for that particular variant yet...But if
you gived them some time they will release it.
I WOULD SUGGEST TO SEARCH GOOGLE GOT FREE SYMANTEC ONLINE SCAN OR GO
TO THERE WEBSITE SYMANTEC.COM OR IF YOU GOT ANTIVIRUS SOFTWARE UPDATE
IT TO THE CURRENT DEFINITIONS.
I HATE THIS VIRUS SO BECAREFULE WHAT YOU CLICK
On 4/14/05, Mikey <mike_chan_@hotmail.com> wrote:
Sorry...that example should have read;
[05:29:29 PM] Colleague2: its you!
[05:29:30 PM] Colleague2:
http://hydr0.net/pictures.php?email=email2@hotmai
l.com
Thanks to those who have pointed it out.
Cheers,
Michael.
To: focus-virus@securityfocus.com
From: Mikey <mike_chan_@hotmail.com>
Subject: MSN Messenger Malware?
Hi all.
I haven't been following the virus scene very closely of late so this may
be an old one. Still, I wouldn't mind if someone could help me identify if
it is and if it isn't, bring it to the attention of the proper authorities.
Firstly, a bit about the environment; I am running MSN Messenger
v6.2.0205. Yesterday, a colleague sent me a message that says this;
[05:29:29 PM] Colleague: its you!
[05:29:30 PM] Colleague:
http://hydr0.net/pictures.php?email=email@hotmai
l.com
I have changed his real alias to "Colleague" and my MSN IM registered
email address to email@hotmail.com for our protection (and yes, its
different to the one I am using to send this message).
Now, normally, you don't see this kind of message except in spam messages.
But if you click on that link, it will download and execute an executable
(on Windows XP SP2, it will ask you about it).
Of course, this is my own trusted colleague who is normally very
conscientious in keeping viruses and malware out, especially from spam email.
When you let it execute, it installs two files into the C:\Program
Files\999 directory.
It then executes one of these executables and sends this message to
EVERYONE on your MSN IM contact list that is NOT offline.
The message is the same as above but the email address is the same one as
the recipient's email address. For example, the program will send a
message to Colleague2 who has a registered MSN IM email address is
"email2@hotmail.com". This message to her (from you) will look like this;
[05:29:29 PM] Colleague2: its you!
[05:29:30 PM] Colleague2:
http://hydr0.net/pictures.php?email2=email@hotmai
l.com
So this epidemic spreads.
The motive? I can only think that the owner of http://hydr0.net is
collecting email addresses. He or she is using MSN Messenger to
proliferate this executable to catch users offguard, while collecting more
email addresses as this message spreads.
The website is still active and there must be a registered domain owner so
I would be interested to hear if anyone can dig further. ;-)
BTW - I think I have cleaned it out by deleting the C:\Program Files\999
directory and its files.
Look forward to hear some feedback on whether this is an already
identified malware or not and where I can find more information on it
(like its name), if it has already been identified.
Cheers,
Michael.
--
Check out gmail.com or search google for "gmail invites" for a great
E-mail service
