March 7th, 2005, 10:22 AM
News: MSN Virus - Do not click on link.
Hot and fresh off the kitchen....
When someone on msn sends u this link
do not accept it.
coz once u accept it, its actually
i have yet to look around what it does, i will update it if its a hoax or not. but for now. avoid that link. I have just recieved a msg on MSN with same said link by an old friend. she went offline after the msg was sent. Which explains why my friend went offline after sending me the link. Simmilar cases were told to me by other people i know over MSN and IRC.
Ive had someone in IRC just told me about it recently. he also recieved the msg from someone.
UPDATE: 10 mins past
So far, all ive dug up in the past few mins is there have been several simmilar cases in the past few weeks and just today .pif masked as a .jpg and being passed around on links...
Apparently it doesnt only does .pif but it also does .exe .bat .vbs aswell.
As far as ive found out,the files automatically sends variations of itself to ur contacts and signs u off automatically...
it is the Bropia again! its spreading quick here in Australia. God we're way behind.. we gettin attacked by a worm that existed a month ago...
This is apparently same case.. just different links.
Ill find more..
March 7th, 2005, 03:04 PM
On the blog from F-Secure, their latest post mentions a new version of this one, called Bropha.K that came out Sunday.
The link to their blog for a little more info is here.
March 7th, 2005, 04:00 PM
This is what I have:
Early AM, EST, information came about an MSN messenger worm that spread by
sending the following message: "http://home.earthlink.net/~gallery10/omg.pif lol! see it! u'll like it"
I would estimate millions got infected.
Once going to that page, the Trojan horse was downloaded onto your PC,
and in turn it downloaded three other Trojan horses, also hosted at
One of them then proceeded to connect to a botnet command and control
Due to international cooperation between ISP's, AV companies and CERTs
on a secure and vetted drone armies and malicious web sites coordination
group (yes, I am a member of this group), all the sites and the C&C IRC server were killed by their
Taking the sites down effectively stopped the spread of the worm, and
killing the C&C assured that the infected users won't be later used as a
group for illegal purposes such as DDoS, spam, etc. We go into action
when worms go out.
This was done in a very short time, and while there were no signatures
yet for this worm from AV companies.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 7th, 2005, 04:49 PM
Same here (in the uk), but with the format of
omg this is funny! http://jose.rivera4.home.att.net/cute.pif
---- DON'T CLICK IT
March 7th, 2005, 10:12 PM
Got it with another message and link:
Again in the UK
"haha look at us"
I have plent of thought and talent. I just don\'t give a damn
March 8th, 2005, 12:26 AM
Yeah, I (err, actually, my sister) got the same one as mikester2 at around 16:30 UTC-5 yesterday, but had the brilliant idea of opening it... :rolleyes:
Now, it installed a bunch of adware that was rather easiliy removed, but left two running processes:
hotkeysvc is cited in the symantec and other AV vendors writeups...
winfrw.exe however I haven't seen mentionned anywhere (nor does google turn up anything).
A quick `strings` on it reveals that it seems to be an IRC botnet trojan/backdoor that amongst other things creates a user and group on the target machine, tries to connect to mssql servers with a blank SA account then execute a localhost ping with the xp_cmdshell extended stored procedure, contains a unicode encoded /script/../../cmd.exe directory traversal attempt, and such.
md5 hash of the winfrw.exe file (if anyone want's to compare):
Ok, here's the (interesting parts of the) actual strings output if that interests anyone:
The process also opens and listens on ports tcp 559 and udp 123, but connecting with netcat on them doesn't return anything (and I can't seem to coax it to return any message by sending it stuff).
PRIVMSG %s :%s
net user /add System hakt
net localgroup /add Administrators System
Windows System Configuration
USER %s %s %s :%s
QUIT :Received WM_ENDSESSION message.
QUIT :Received WM_QUIT message.
QUIT :Received WM_QUERYENDSESSION message.
Windows Security Updater
QUIT :Received WM_DESTROY message.
QUIT :Received WM_CLOSE message.
PRIVMSG %s :Version %d.%d (%s). Your mother sucks **** in hell.
PRIVMSG %s :Active window: %s.
PRIVMSG %s :File not found.
PRIVMSG %s :Connected to IRC for: %d day(s), %d hour(s), and %d m
PRIVMSG %s :System Uptime: %d day(s), %d hour(s), and %d minute(s
PRIVMSG %s :OS: Windows %s. IP: %d.%d.%d.%d. Memory: %d/%dMB. CPU
processor(s). Uptime: %d day(s), %d hour(s), and %d minute(s).
PRIVMSG %s :Error while executing file.
PRIVMSG %s :File executed.
PRIVMSG %s :Error while downloading file.
PRIVMSG %s :File downloaded.
PRIVMSG %s :Downloading %s to %s...
PRIVMSG %s :Error while capturing amateur video from webcam.
PRIVMSG %s :Amateur video saved to %s.
PRIVMSG %s :Error while capturing from webcam.
PRIVMSG %s :Webcam capture saved to %s.
PRIVMSG %s :Capture driver #%d - %s - %s.
PRIVMSG %s :Error while capturing screen.
PRIVMSG %s :Screen capture saved to %s.
PRIVMSG %s :KeySpy disabled.
PRIVMSG %s :KeySpy enabled.
PRIVMSG %s :KeySpy already enabled.
PRIVMSG %s :Spoof IP set to '%s'.
PRIVMSG %s :'%s' is an invalid IP address (it's not hard).
PRIVMSG %s :Spoofing currently set to '%s'.
PRIVMSG %s :Spoofing disabled.
PRIVMSG %s :Unable to resolve host.
PRIVMSG %s :Resolved %s to %s.
PRIVMSG %s :Unable to delete %s.
PRIVMSG %s :%s has been deleted.
PRIVMSG %s :Can't resolve IRC server.
PRIVMSG %s :Connecting clone to %s[:%s].
PRIVMSG %s :Max clones reached.
PRIVMSG %s :Clones killed.
PRIVMSG %s :Enable password set to '%s', bot disabled.
PRIVMSG %s :Password accepted, commands enabled.
PRIVMSG %s :Initializing DCC console...
PRIVMSG %s :Downloading '%s' through DCC (%d bytes)...
PRIVMSG %s :CreateFile() failed.
PRIVMSG %s :DCC resume is not supported (yet).
JOIN %s %d
PRIVMSG %s :
PRIVMSG %s :Error sending packets to %s. eax=SOCKET_ERROR, WSAGet
sizeof(buffer) = %d. Packets sent sucessfully = %d.
PRIVMSG %s :Finished sending packets to %s. Sent %d packet(s). ~%
PRIVMSG %s :Sending packets to %s...
PRIVMSG %s :Invalid target IP.
PRIVMSG %s :Error calling setsockopt(). WSAGetLastError() returns
PRIVMSG %s :Error calling socket().
PRIVMSG %s :You cant send packets for 0 seconds.
PRIVMSG %s :Received %s (%d bytes).
PRIVMSG %s :connect() failed.
PRIVMSG %s :socket() failed.
PRIVMSG %s :Sent %s to %s. (%d bytes).
PRIVMSG %s :send() failed.
PRIVMSG %s :Transfer accepted, sending...
PRIVMSG %s :accept() failed.
PRIVMSG %s :DCC send timed out.
PRIVMSG %s :
DCC SEND %s %d %d %d
NOTICE %s :DCC Send %s (%s)
PRIVMSG %s :Sending file to %s...
PRIVMSG %s :bind() failed.
PRIVMSG %s :Unicode vulnerable server on %s.
HTTP/1.0 200 OK
HTTP/1.1 200 OK
GET %sdir HTTP/1.1
PRIVMSG %s :SQL server with open 'sa' account on %s.
xp_cmdshell 'ping 127.0.0.1'
PRIVMSG %s :IP range scan complete.
PRIVMSG %s :Open port found on %s[:%d].
PRIVMSG %s :IP range scan started...
PRIVMSG %s :DCC console closed.
Error while killing process.
Syntax: process kill <pid>.
Error while enumerating modules.
Syntax: process modules <pid>.
Sub-commands of 'process':
list, kill, modules.
End of process list.
%s - %d.
Number of active processes: %d.
End of module list.
End of directory list.
Listing Directory: %s.
Error while deleting file.
Error while copying file.
Sub-commands of 'file':
End of network list.
Sub-commands of 'network':
file, process, network.
Welcome to the Wisdom DCC console.
Current system uptime: %d day(s), %d hour(s) and %d minute(s).
PRIVMSG %s :DCC console activated.
Now AFAIK this does look like a gabot or spybot variant (I think), but on virustotal.com, only the following vendors detected it (as of the time of this post):
Yesterday only 4 vendors detected it (antivir, clamav, Kaspersky, NOD32v2)
This is a report processed by VirusTotal on 03/08/2005 at 01:22:19 (CET)after scanning the file "WINFRW.EXE" file.
Antivirus Version Update Result
AntiVir 220.127.116.11 03.07.2005 BDS/Wisdoor.K
AVG 718 03.07.2005 no virus found
BitDefender 7.0 03.07.2005 BehavesLike:Win32.IRC-Backdoor
ClamAV devel-20050130 03.08.2005 Trojan.Wisdoor-6
DrWeb 4.32b 03.07.2005 no virus found
eTrust-Iris 18.104.22.168 03.07.2005 no virus found
eTrust-Vet 22.214.171.124 03.07.2005 no virus found
Fortinet 2.51 03.08.2005 no virus found
F-Prot 3.16a 03.07.2005 no virus found
Ikarus 2.32 03.07.2005 no virus found
Kaspersky 126.96.36.199 03.08.2005 Backdoor.Win32.Wisdoor.av
NOD32v2 1.1021 03.07.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 03.07.2005 no virus found
Panda 8.02.00 03.07.2005 W32/Gaobot.DLA.worm
Sybari 7.5.1314 03.08.2005 W32/Sdbot.worm.gen
Symantec 8.0 03.07.2005 no virus found
I also sent the file to symantec (which I use) and isc.sans.org...
The good news is that the link it was downloaded from was quickly disabled and returned a code 500 around midnight already.
Credit travels up, blame travels down -- The Boss
March 8th, 2005, 12:53 AM
Perhaps you could edit this message of yours and select NOT to parse URLs?
" Automatically parse URLs: automatically adds [ url ] and [ /url ] around internet addresses. "
Not that this link can really do a thing to me but someone else could accidently click on it while scrolling the text and trying to scroll back down or something.
March 8th, 2005, 01:08 AM
That link doesn't actually work anymore, it returned a code 500 last night and is now explicitly forbidden (403)... (Although I agree that not parsing it is a good thing)
Credit travels up, blame travels down -- The Boss
March 8th, 2005, 03:33 AM
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
March 8th, 2005, 04:35 AM
Ok, I just got a reply from Symantec concerning my file submission: it was assigned the new designation Backdoor.Solufina
This message is an automatically generated reply. This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries.
Please contact your Technical Support representative if more detailed information about your submission is required. Do not reply to this message.
Below is a status update on your virus submission:
Date: March 7, 2005
We have analyzed your submission. The following is a report of our
findings for each file you have submitted:
result: This file is infected with Backdoor.Solufina
E:\Users\ammo\forensics\WINFRW.EXE is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.
Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.
Downloading and Installing RapidRelease Definitions:
1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
2. Copy and paste the address ftp://ftp.symantec.com/public/englis...ease/sequence/
into the address bar of your Web browser and then press Enter.(this could take a minute or so if you have a slow connection)
3. Now select 41880 folder or a higher. Open the folder.
4. Select the file symrapidreleasedefsi32.exe
5. When a download dialog box appears, save the file to the Windows desktop.
6. Double-click the downloaded file and follow the prompts.
This message was generated by Symantec Security Response automation
Should you have any questions about your submission, please contact
our regional technical support from the Symantec website
and give them the tracking number in the subject of this message.
Since it seems to be a new backdoor (or at least variation) I guess I should go double check that the IRC server the binary tries to connect to is informed/shutdown...
Credit travels up, blame travels down -- The Boss