Brand new dangerous messenger-virus on the run

[Frands]

Hi There :)
FYI

CSIS has now blocked for two harmful domains, the CSIS Sec-DNS and CSIS CSG, which is being misused by the download server and IRC-based C & C server of a worm which now spreads via MSN Messenger service.
 
Antivirus detection of the malicious code is low. 7 out of 38 antivirus products are able to detect this code, so we recommend that companies protect themselves against that end-users click on the link they may happen to receive via MSN Messenger.
 
The malicious code arrives as an MSN message from a friend or acquaintance.
 
The content may be following (space hospitalized by CSIS):
 
[Date], [Person Knowing]
haha: D webcams.serve rocean.com / watch.php? = [e-mail address of the recipient of the message]
 
If the recipient clicks on this link will land on a fake YouTube page via a javascript trying to lure users into downloading the malicious file "install_flash_player.exe", which obviously is not something you want to close in to his PC!
 
The malicious code is protected by the program Themida. An extremely complex PE-protector which makes industrial proof of anti-debugging tests of the system to protect the code against technical analysis. If the code is run as dropped file "Services.exe" to the windows system folder, which immediately connects to an IRC server at: (space hospitalized by CSIS)
services.ms nservers.net. This is done via TCP port 1863.

ntivirus       Version         Last Update     Result
AhnLab-V3       2008.10.3.2     2008.10.08      -
AntiVir         7.8.1.34        2008.10.08      TR/Crypt.XPACK.Gen
Authentium      5.1.0.4         2008.10.08      -
Avast   4.8.1248.0      2008.10.08      -
AVG     8.0.0.161       2008.10.07      -
BitDefender     7.2     2008.10.08      -
CAT-QuickHeal   9.50    2008.10.08      (Suspicious) - DNAScan
ClamAV  0.93.1  2008.10.08      -
DrWeb   4.44.0.09170    2008.10.08      -
eSafe   7.0.17.0        2008.10.07      -
eTrust-Vet      31.6.6135       2008.10.08      -
Ewido   4.0     2008.10.07      -
F-Prot  4.4.4.56        2008.10.07      -
F-Secure        8.0.14332.0     2008.10.08      Trojan.Win32.Buzus.aasa
Fortinet        3.113.0.0       2008.10.08      -
GData   19      2008.10.08      -
Ikarus  T3.1.1.34.0     2008.10.08      -
K7AntiVirus     7.10.487        2008.10.07      -
Kaspersky       7.0.0.125       2008.10.08      Trojan.Win32.Buzus.aasa
McAfee  5400    2008.10.07      -
Microsoft       1.4005  2008.10.08      VirTool:Win32/DelfInject.gen!AF
NOD32   3502    2008.10.07      -
Norman  5.80.02         2008.10.07      -
Panda   9.0.0.4         2008.10.07      -
PCTools         4.4.2.0         2008.10.07      -
Prevx1  V2      2008.10.08      -
Rising  20.65.22.00     2008.10.08      -
SecureWeb-Gateway       6.7.6   2008.10.08      Trojan.Crypt.XPACK.Gen
Sophos  4.34.0  2008.10.08      Sus/UnkPacker
Sunbelt         3.1.1708.1      2008.10.08      -
Symantec        10      2008.10.08      -
TheHacker       6.3.1.0.103     2008.10.07      -
TrendMicro      8.700.0.1004    2008.10.08      -
VBA32   3.12.8.6        2008.10.07      -
ViRobot         2008.10.8.1411  2008.10.08      -
VirusBuster     4.5.11.0        2008.10.07      -

With kind regards
Stealthzone

[Temmu]

yikes.
have any software vendors caught up with the others in detecting this thing?

[Frands]

Hi Temmu :)
At the time I wrote this warning the news about this messenger-virus was pretty new (six hours), and many of the software vendors had not got their signatures updated. I am sure that most of the vendors have caught up with the other vendors which are mentioned on the list.

---------

My advice is: Don't click at links in messenger unless you have checked out with your contacts if they have posted any links  ;)