RE: MSN Messenger Malware?

That site was closed down yesterday was it not? 


Mark Handy
STAR (Security Threat Assessment and Response)

-----Original Message-----
From: Mikey [mailto:mike_chan_@hotmail.com] 
Sent: 14 April 2005 22:26
To: focus-virus@securityfocus.com
Subject: Fwd: MSN Messenger Malware?

Sorry...that example should have read;

> [05:29:29 PM] Colleague2: its you!
> [05:29:30 PM] Colleague2:
>               http://hydr0.net/pictures.php?email=email2@hotmai
>               l.com

Thanks to those who have pointed it out.


Cheers,

Michael.

> To: focus-virus@securityfocus.com
> From: Mikey <mike_chan_@hotmail.com>
> Subject: MSN Messenger Malware?
>
> Hi all.
>
> I haven't been following the virus scene very closely of late so this 
> may be an old one. Still, I wouldn't mind if someone could help me 
> identify if it is and if it isn't, bring it to the attention of the
proper authorities.
> Firstly, a bit about the environment; I am running MSN Messenger 
> v6.2.0205. Yesterday, a colleague sent me a message that says this;
>
> [05:29:29 PM] Colleague: its you!
> [05:29:30 PM] Colleague:
>               http://hydr0.net/pictures.php?email=email@hotmai
>               l.com
>
> I have changed his real alias to "Colleague" and my MSN IM registered 
> email address to email@hotmail.com for our protection (and yes, its 
> different to the one I am using to send this message).
>
> Now, normally, you don't see this kind of message except in spam
messages. 
> But if you click on that link, it will download and execute an 
> executable (on Windows XP SP2, it will ask you about it).
>
> Of course, this is my own trusted colleague who is normally very 
> conscientious in keeping viruses and malware out, especially from spam
email.
> When you let it execute, it installs two files into the C:\Program
> Files\999 directory.
>
> It then executes one of these executables and sends this message to 
> EVERYONE on your MSN IM contact list that is NOT offline.
>
> The message is the same as above but the email address is the same one 
> as the recipient's email address. For example, the program will send a 
> message to Colleague2 who has a registered MSN IM email address is 
> "email2@hotmail.com". This message to her (from you) will look like 
> this;
>
> [05:29:29 PM] Colleague2: its you!
> [05:29:30 PM] Colleague2:
>               http://hydr0.net/pictures.php?email2=email@hotmai
>               l.com
>
> So this epidemic spreads.
>
> The motive? I can only think that the owner of http://hydr0.net is 
> collecting email addresses. He or she is using MSN Messenger to 
> proliferate this executable to catch users offguard, while collecting 
> more email addresses as this message spreads.
>
> The website is still active and there must be a registered domain owner

> so I would be interested to hear if anyone can dig further. ;-)
>
> BTW - I think I have cleaned it out by deleting the C:\Program 
> Files\999 directory and its files.
>
> Look forward to hear some feedback on whether this is an already 
> identified malware or not and where I can find more information on it 
> (like its name), if it has already been identified.
>
>
> Cheers,
>
> Michael. 
--------------------------------------------------------
 
NOTICE: If received in error, please destroy and notify sender.  Sender does 
not waive confidentiality or privilege, and use is prohibited.