JT.Moonwalk Dances Onto An MSN Client Near You

| | Comments (0)

Sometimes we obtain files and they just sit there, doing nothing. Here's a case where we went back for a second look and lots of IRC activity eventually kicked into life. This particular infection takes place as follows:

1) The bad guys infect your PC with an initial infection link, dropping you into a Botnet.

http://blog.spywareguide.com/upload/2007/09/insidejtworm-thumb.jpg
Click to Enlarge

2) The Botnet is fired up periodically and they deposit a collection of Zipfiles (each containing more infections) onto your PC.

http://blog.spywareguide.com/upload/2007/09/zipstorage1-thumb.jpg
Click to Enlarge

3) Infection commands are then sent via IRC to tell the infected PC to send your contacts infection links to the Zipfiles stored in your Windows directory.

http://blog.spywareguide.com/upload/2007/09/msnjt_replacement-thumb.jpg
Click to Enlarge

Some of the infection messages include

"Look at my new dancing movie"

"Look at me doing the moonwalk!!"

"Look what I found, more nude pictures of Justin Timberlake!"

We detect this (naturally enough) as JT.Moonwalk.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on September 20, 2007 9:53 AM.

Bubbles...For Kids! was the previous entry in this blog.

Security Monitor Spam Continues is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.