MSN Messenger – A Medium for Worms to spread

The worms using MSN Messenger to spread have a tendency to try connecting to a specific page to relay details of the program MSN Messenger of the user to its creator.

In its weekly report, PandaLabs identified two worms - Addon.B and MSNPoopy.A - targeting MSN Messenger to spread.

The report first mentions Addon.B, a malware specimen in the form of a .zip file known as Foto_cellular on MSN Messenger. Once the user opens and runs the file enclosed, a copy of the work installs itself on the computer.

Using the name of Foto_cellular.scr, copies of Addon.B are made on all the drives. After running, it proceeds to download the second component of the worm, sexy.wm. Then the malware connects to two Web pages awaiting commands, including downloads of other malicious codes to the affected system for self update.

PandaLabs found a similarity in the techniques that MSNPoopy.A uses to that of Addon.B for spreading via MSN Messenger. It lures users to open the attached file with names like img1756 in compressed .zip format using descriptions like a cute new puppy or a picture of the sender as a kid.

Users who open the attachment and run the file inside end up infected. In addition, the worm also sends the message to all the addresses in the user's address book exposing them to the risk of infection.

MSNPoopy.A manipulates the Windows registry so that on system start up, it runs every time. It also attempts to link to other IM (Instant Messaging) channels to relay information or to spread further.

In the opinion of Luis Corrons, Technical Director of PandaLabs, there should be nothing surprising about cyber criminals preferring instant messaging to spread their misdeeds. With daily users running into millions, it offers an extremely easy and fast option for infecting users in large numbers, according to news by Utteraccess on August 11, 2007.

Another finding in the PandaLabs report was the ability of criminals to use Shark 2, a tool for downloading Trojan to specify the server for the Trojan to connect to, to ensure that the Trojan is run each time the system restarts, displays error messages or run other files. Malicious users can also use the tool to carry out specific actions for processes and services, for example halting services, shutting down, deleting user server, etc.

Related article: MSN, YIM Users Targeted With a Fake Application

» SPAMfighter News - 8/27/2007