Author Topic: New Messenger worm -again!  (Read 3658 times)

0 Members and 1 Guest are viewing this topic.

Offline Frands

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 1068
  • Esbjerg, Denmark
    • View Profile
New Messenger worm -again!
« on: February 02, 2009, 08:06:07 PM »
Hi :)


CSIS has over the weekend observed a slight increase in traffic, suggesting that an active Messenger worm is starting to download more malicious components. The increase indicates that the worm has already succeeded in getting several machines infected with the malicious code.

 CSIS warns about this worm and malicious domains from which the download and update itself.

It is a traditional MSN worm. The code appears to come from a group of IT criminals - probably from Albania.

The worm spreads itself, like other MSN worms, by sending itself up from an infected machine to all contacts on the MSN buddy list.
It typically use social engineering that may have a message to look as if the user lands on a popular foreign social network named 'hi5' if you click on the link. It is not the case when the domains simply leans close of the hi5's official website, but otherwise there is nothing in common with hi5 service.

So in short, you must keep the cut results from Messenger messages that want you to click links that lead to something with hi5.
The technical side

Are you more technically-based, read further and see how you can block the harmful domains.

CSIS has kept an eye on the IRC channels, which infected machine connects to, and has released an update that right away get switched, infected machines to download and run additional code from the following URLs (space made by CSIS):

http://193.13 8.205.121/spc.gif
http://www.freewe / alfakar / pig.jpg
http://www.freewe / alfakar / nat.jpg
http://www.freewe / alfakar / wip.jpg

In some cases, the contents of IRC communication may be encrypted. See example below (spaces inserted by CSIS):

2009-01-30 23:49:51 [8942] 72.10.17 2.218:9928: @ _ @ 001 pYWWEjPS:
2009-01-30 23:49:56 [8942] 72.10.17 2.218:9928: x.hub.x 332 pYWWEjPS Siwa #: = XRlSYWHDxodKoKTdT7BxKpedXm7GERdOTvU41sULBVo0tVz3vs9al15JIViw

As previously mentioned, the worm sends messages via the MSN network, which contains links to a malicious. Scr, or. Exe file, which identifies domains (intervals of hospitalized CSIS): high5ph, hi5-ph and site.hi
We recommend that you block access to these websites to your proxy / content filter or firewall.
Such a link could for example look like this: www.hi5p / images.php? [E-mail address of recipient]. If the recipient clicks the link, the offer file and infect the machine at the moment it is opened by the user.

More Features

This worm contains more features than just MSN replication and IRC BOT control. It can also spread via the internal network. Indication of one or more infected machines (in addition to numerous related domains to achieve control IRC) will be arbitrary internal scans via TCP port 135 with hundreds of attempts per second. It also opens the UDP port 69 (TFTP) for further replication in the internal network from infected machines.

My search: CSIS Security Group
Our greatest glory is not in never falling but in rising every time we fall.
- Confucius
Trend Micro Internet Security

Home Forums: