1

MSN IM Worm

Another MSN IM-worm is making the rounds, in an effort to create yet another IRC-based botnet. Almost all of the activity that we are seeing is coming from our user community in Italy, Spain, Argentina and Peru.

A message will arrive, asking “Is this your photo?”, and will either carry with it an attachment that appears to be “134453_9198.JPG-WWW.MYSPACE.zip” and within it “134453_9198[1].JPG-WWW.MYSPACE.COM” or “134453_9198.JPG-WWW.YOUTUBE.COM”,
“134453_9198.JPG-WWW.MSNSPACES.COM” and
“IMAGE_134453.JPG-WWW.MYSPACE.COM”.
The file may be delivered via a link in the message as well. When executed, the file copies itself to temp as taksmgr.exe and the windows directory as wksvcsc.exe or
winudpmgr.exe and attempts to send itself to everyone in your MSN address book. Variants have attempted to phone home to m.bihsecurity.com over IRC and other channels. The activity is recorded in this ThreatExpert report.

VirusTotal results help explain why this one is spreading:

File image_134453_9198.jpg-www.myspace received on 06.04.2008 18:16:28 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.5.30.1 2008.06.04 -
AntiVir 7.8.0.26 2008.06.04 Worm/IrcBot.43803
Authentium 5.1.0.4 2008.06.04 -
Avast 4.8.1195.0 2008.06.04 -
AVG 7.5.0.516 2008.06.04 -
BitDefender 7.2 2008.06.04 -
CAT-QuickHeal 9.50 2008.06.04 Backdoor.IRCBot.dip
ClamAV 0.92.1 2008.06.04 Trojan.IRCBot-2456
DrWeb 4.44.0.09170 2008.06.04 -
eSafe 7.0.15.0 2008.06.04 -
eTrust-Vet 31.6.5847 2008.06.04 -
Ewido 4.0 2008.06.04 -
F-Prot 4.4.4.56 2008.06.02 -
F-Secure 6.70.13260.0 2008.06.04 Backdoor.Win32.IRCBot.dip
Fortinet 3.14.0.0 2008.06.04 -
GData 2.0.7306.1023 2008.06.04 Backdoor.Win32.IRCBot.dip
Ikarus T3.1.1.26.0 2008.06.04 Backdoor.Win32.IRCBot.dip
Kaspersky 7.0.0.125 2008.06.04 Backdoor.Win32.IRCBot.dip
McAfee 5309 2008.06.03 -
Microsoft 1.3604 2008.06.04 -
NOD32v2 3158 2008.06.04 Win32/IRCBot.AGQ
Norman 5.80.02 2008.06.04 -
Panda 9.0.0.4 2008.06.04 Suspicious file
Prevx1 V2 2008.06.04 Worm
Rising 20.47.22.00 2008.06.04 -
Sophos 4.30.0 2008.06.04 Mal/Generic-A
Sunbelt 3.0.1144.1 2008.06.04 -
Symantec 10 2008.06.04 -
TheHacker 6.2.92.333 2008.06.03 -
VBA32 3.12.6.7 2008.06.03 -
VirusBuster 4.3.26:9 2008.06.03 -
Webwasher-Gateway 6.6.2 2008.06.04 Worm.IrcBot.43803
Additional information
File size: 43803 bytes
MD5…: 7029a5feddc61e7da347b80c0fa3cc48
SHA1..: 431d7e328245dfd493fce228901c97af2912f7b2
SHA256: 7a35c959f1c7026115fa41253a782a36909a12a9301ec5d9453c25e238f304cc
SHA512: c29a762a71e28842fd65e2fc798ad79ba4c25ccaa21d57f1e0ac7c708fc107a6
0f99c528d16d79eb8ab085cb26472d8a892aa4c79e35dd25e01d3cd388b403de
PEiD..: -

We saw this same sort of IM-worm activity in December.

Update — It’s now June 24th. Some of the other vendors’ research teams have had the time to get a little more certain on this worm. Maybe just a nudge would help… ;)

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>