We’re seeing a new version of the worms that we previously posted info about.
Some slight changes in the newest version: circulating with the name “newphoto011.jpeg-www.myspace.com”, which I’m sure will change soon enough. This time, it hides a new process that loads “msnp2pmgr.exe”. The authors keenly call it their “MSN P2P Manager”. It connects back to xili.zerolost.org, hosted at a number of ip’s…Addresses: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168.
The authors seem to be getting a bit more aggressive against security solutions, delivering a long list of modifications to the hosts file with their worm that can be seen on this ThreatExpert report (look to the bottom of the report under “The HOSTS file was updated with the following URL-to-IP mappings”). These modifications prevent a user from visiting sites that may describe this worm as malicious, and also block security solutions from downloading signature updates as well.
AV scanner detection catching up: