as tedob1 reported in his tutorial i decided to do some digging on this new virii spreading through MSN instant messenger

this is from writers have targeted MSN Messenger users with a childishly transparent, but at least partially effective, piece of social engineering.

The Henpeck (or Rodok) worm began circulating to MSN Messenger users earlier this week inviting users to download and feedback on the 'readme' file of a program.

The link contained in the message went to an executable file which, if users were daft enough to visit, attempted to download malicious files including a Trojan component, called Brat.

If the malicious payload is executed, the worm mails itself a instant message inviting all the contacts of an infected user to catch the pox too. Afterwards the worm displays a fake CD key generator.

Henpeck is also capable of stealing keys for the games Half-Life and Counter-Strike and sending them to a Hotmail email address.

The site containing the worm has now been pulled, but not before infecting a substantial number of people. Those users should get themselves disinfected since their machines have been compromised with the Brat Trojan and further mischief might follow otherwise.

It's not the first time virus writers have targeted Messenger users. Though most of these attacks haven't gone too far, they'll still given cause for concern.

In March, security clearing house CERT warned that IRC and instant messaging (IM) services are increasingly becoming vectors for social engineering attacks. Henpeck is a prime example of this phenomenon. ®
more info on the brat trojan that this worm attempt to download if usewrs visit a specific file

Detected by Sophos Anti-Virus since October 2001. Description

Troj/Brat is a backdoor Trojan. Troj/Brat runs in the background as a server process and allows malicious remote users access to and control over your computer.

Troj/Brat copies itself into the Windows folder using a random filename. The Trojan adds an entry to the registry or to one of the Windows startup (.INI) files so that it runs automatically every time you start your computer.

Troj/Brat may add registry values to the following keys:




The Trojan may add a run= line to the [Windows] section of the WIN.INI file.

The Trojan may also add its folder and filename to the shell= line in the [Boot] section of the SYSTEM.INI file. (This line usually reads shell=explorer.exe on Windows 95/98/Me computers.)
here is a link for rempval instructions

Trojans infect computers, but do not infect files. They can simply be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up. Check the virus analysis for details of such behaviour.
1. Removing Trojans in Windows 95/98/Me

To remove the Trojan

* Check the virus analysis for details on the Trojan and its removal.
* Go to Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
* Select the 'Immediate' tab.
* Go to Options|Configuration... select the 'Action' tab, tick 'Infected files', select 'Delete' then click 'OK'.
* Click the 'Go' button on the toolbar to start the scan.
* Delete the files. Run another scan to check it has gone.
* Go back to Options|Configuration... select the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
* Reboot and run a final scan to be certain it has gone.

If the Trojan cannot be removed because the files are held open by the operating system:

* Reboot the PC from a clean startup or system disk.
* Delete and replace the infected files manually or using the DOS instructions.

2. Removing Trojans in Windows NT/2000

To remove the Trojan

* Check the virus analysis for details on the Trojan and its removal.
* Close down all programs.
* Go to Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
* Select the 'Immediate' tab.
* Go to Options|Configuration... select the 'Action' tab, tick 'Infected files', select 'Delete' then click 'OK'.
* Click the 'Go' button on the toolbar to start the scan.
* Delete the files. Run another scan to check it has gone.
* Go back to Options|Configuration... select the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
* Reboot and run a final scan to be certain it has gone.

If Sophos Anti-Virus cannot delete files because they are held open by the operating system then contact support.

3. Removing Trojans on Macintosh computers

* Check the virus analysis for details on the Trojan and its removal.
* Close down all programs.
* Run the 'Sophos Anti-Virus' program.
* Go to Edit|Preferences.
* Choose Virus Action from the Immediate Mode menu.
* Select Infected Files and Delete.
* Close SAV Preferences.
* Click on the Go button.
* Click 'OK' when asked if files should be deleted.
* Run another scan to ensure that the Trojan has been removed.
* Go back to Virus Action and deselect Infected Files and Delete.

If problems with the Trojan persist then contact support.
4. Removing Trojans in DOS

You will need SWEEP for DOS on floppy disk. To do this make a set of Emergency SAV disks.

* Check the virus analysis for details on the Trojan and its removal.
* Reboot your PC from a clean system disk, put the 'SWEEP for DOS' disk in the floppy drive and at the A: prompt type:

5. Removing Trojans in OS/2

To delete infected files:

* Check the virus analysis for details on the Trojan and its removal.
* For drive C: at a command prompt type
* Run a scan to check that all Trojan files were deleted.

If infection persists disinfect in stand-alone mode:

* If OS/2 is running, shut it down.
* Boot OS/2 from the OS/2 Utility disk set. Follow the on-screen instructions. When booting has finished the A: prompt appears.
* Remove the OS/2 Utility disk.
* Place the 'Emergency OSWEEP' disk in drive A:.
* For drive C: at the A: command prompt type
(-REMOVEF deletes the infected files, -CI checks the integrity of SWEEP on the 'Emergency OSWEEP' disk). The computer checks program integrity then asks for the virus data disk. Replace the 'Emergency OSWEEP' disk with the virus data disk.
* After disinfection, run another scan to check that all Trojan files were deleted.

If problems persist contact support.
6. Removing Trojans in NetWare

Trojan files should be deleted.

Note: This will delete any documents infected with macro viruses. Deal with them first.

* Check the virus analysis for details on the Trojan horse and its removal.
* Run a scan to locate all Trojan files.
* Select 'Delete in the 'Removal mode' option of the 'Immediate mode' menu.
* Delete the Trojan files.

7. Removing Trojans in Unix

To delete Trojan files:

* Check the virus analysis for details on the Trojan and its removal.
* Use SWEEP with the -remove option
sweep -remove
* Run a scan to check that Trojan infected files were deleted.

8. Removing Trojans in OpenVMS

To delete Trojan files:

* Check the virus analysis for details on the Trojan and its removal.
* Delete the Trojan files by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.

Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.

a note from the cert advisory

Social Engineering Attacks via IRC and Instant Messaging
Release Date: March 19, 2002

A complete revision history can be found at the end of this file.
Systems Affected
Systems running Internet Relay Chat (IRC) or Instant Messaging (IM) clients

The CERT/CC has received reports of social engineering attacks on users of Internet Relay Chat (IRC) and Instant Messaging (IM) services. Intruders trick unsuspecting users into downloading and executing malicious software, which allows the intruders to use the systems as attack platforms for launching distributed denial-of-service (DDoS) attacks. The reports to the CERT/CC indicate that tens of thousands of systems have recently been compromised in this manner.
I. Description

Reports received by the CERT/CC indicate that intruders are using automated tools to post messages to unsuspecting users of IRC or IM services. These messages typically offer the opportunity to download software of some value to the user, including improved music downloads, anti-virus protection, or pornography. Once the user downloads and executes the software, though, their system is co-opted by the attacker for use as an agent in a distributed denial-of-service (DDoS) network. Other reports indicate that Trojan horse and backdoor programs are being propagated via similar techniques.
Here is an example of one such message:
You are infected with a virus that lets hackers get into your machine and read ur files, etc. I suggest you to download [malicious url] and clean ur infected machine. Otherwise you will be banned from [IRC network].

This is purely a social engineering attack since the user's decision to download and run the software is the deciding factor in whether or not the attack is successful. Although this activity is not novel, the technique is still effective, as evidenced by reports of tens of thousands of systems being compromised in this manner. See IN-2000-08: Chat Clients and Network Security for additional information.
II. Impact

As with any DDoS tool installation, the impact is twofold. First, on systems that are compromised by users running untrusted software, intruders may

* exercise remote control
* expose confidential data
* install other malicious software
* change files
* delete files

These risks are not limited to the installation of DDoS agents. In fact, any time a user runs untrusted software these same dangers are present.

The secondary impact is to the sites targeted by the DDoS agents. Sites undergoing a DDoS attack may experience unusually heavy traffic volumes or high packet rates, resulting in degradation of services or loss of connectivity altogether.
III. Solutions
Home users
Run and maintain an anti-virus product

The malicious code being distributed in these attacks is under continuous development by intruders, but most anti-virus software vendors release frequently updated information, tools, or virus databases to help detect and recover from the malicious code involved in this activity. Therefore, it is important that users keep their their anti-virus software up to date. The CERT/CC maintains a partial list of anti-virus vendors at

Many anti-virus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available.
Do not run programs of unknown origin

Never download, install, or run a program unless you know it to be authored by a person or company that you trust. Users of IRC and IM services should be particularly wary of following links or running software sent to them by other users, as this is a commonly used method among intruders attempting to build networks of DDoS agents.
Understand the risks

Users are encouraged to review our "Home Network Security" tech tip, which provides an overview of risks and mitigation strategies for home users.
Site administrators are encouraged to review our report on denial of service attack technology trends, as well as our recommendations for managing the threat of denial-of-service attacks.

Trends in Denial of Service Attack Technology

Managing the Threat of Denial-of-Service Attacks

Author(s): Allen D. Householder
This document is available from:
CERT/CC Contact Information

Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.
Getting security information

CERT publications and other security information are available from our web site
and finally a report on this virus from symatec

W32.HLLW.Henpeck is a worm that is written in Visual Basic. The worm spreads using MSN Messenger, and it is capable of downloading updates to itself from a Web site. The worm appears to originate from Norway, and it uses the file name BR2002.exe.

NOTE: At the time of writing, it was no longer possible to download any of the files from the Web site.

Also Known As: WORM_RODOK.A [Trend], W32/Fleming.worm [McAfee], W32/Rodok-A [Sophos], Win32.Fleming.A [CA], Worm.Win32.Fleming [AVP]
Type: Worm
Infection Length: 53,248 Bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux


# Virus Definitions (Intelligent Updater) *

October 9, 2002
# Virus Definitions (LiveUpdate™) **

October 9, 2002


Intelligent Updater virus definitions are released daily, but require manual download and installation.
Click here to download manually.


LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

threat assessment


* Number of infections: 0 - 49
* Number of sites: 0 - 2
* Geographical distribution: Low
* Threat containment: Easy
* Removal: Moderate

Threat Metrics
Low Low Medium




technical details

When this worm is executed, it does the following:

First, it displays a small window that has two buttons: Generate and Quit. If you click Generate, a key is displayed in the window. This appears to be an attempt to disguise itself as a CD key generator.

Next, the worm sends the following message to all contacts in the MSN Messenger for Windows contact list:

Hey!! Could you please check this program for me? I made it myself and want people to test it. Its a readme with the program that explains what it does! <removed link> <- There you can download it! give me advices on what to upgrade please!!

NOTE: The link no longer works. Currently, if you click the link, a page appears with the message that says that you are not authorized to view the Web page.

Next, the worm attempts to download two additional files from a Web site. If it is successful, the files are saved as C:\Update35784.exe and C:\Hehe2397824.exe. Norton AntiVirus detects these two Trojans as W32.IRCBot.Gen. However, at the time that this document was written, it was no longer possible to download the two files.

If C:\Hehe2397824.exe is executed it does the following:

* It copies itself as the file %windir%\WinUpdat.exeupdate.ur.address.
* It creates the value

WinUpdat %windir%\WinUpdat.exeupdate.ur.address

in the registry key


so that it is executed each time that you start Windows.

Finally, the worm tries to find what appears to be CD keys that belong to the game named Half-Life and to an add-on for the game named Counterstrike. The worm looks for them in these locations:


If the worm finds the keys, it includes them in an MSN message that it sends to the hacker.


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Run a full system scan, and delete all files that are detected as W32.HLLW.Henpeck.
3. Delete the value


from the registry key


For details on how to do this, read the following instructions.

To update the virus definitions:
All virus definitions receive full quality assurance testing by Symantec Security Response before being posted to our servers. There are two ways to obtain the most recent virus definitions:

* Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
* Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

Intelligent Updater virus definitions are available here . For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

To scan for and delete the infected files:

1. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
o Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
o Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
2. Run a full system scan.
3. If any files are detected as infected with W32.HLLW.Henpeck, click Delete.

To remove the value from the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key


4. In the right pane, if it exists, delete the value


5. Exit the Registry Editor.
well i hope none of you have this nasty piece of software but if you do you will now be more well prepared