The SpywareGuide Greynets Blog: JT.Moonwalk Dances Onto An MSN Client Near You

Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories

SpywareGuide powered by FaceTime Security Labs

Search SpywareGuide Greynets Database & Site

Security Email Alerts & Updates

Search the Blog

Recent Posts
More Fake Instant Messaging Scams Fake GoogleTalk Application In The Wild Random Skype Conversations With A Bulgarian...Sort Of Comments Working (Again!) Memehacks It's A Trap! I Just Called, To Say.......Nothing, Actually Beware: New MSN Messenger Password Stealing Program In The Wild Pinont.com - No Need To Panic The Spectre Of Rogue Facebook Applications, Back Once More

Categories
419 Adware / Spyware Issues Botnets Conferences Development EULA Madness In The Press Instant Messaging Instant Messenging Miscellaneous Myspace P2P / File Sharing Phish Phishing Scams Privacy Issues Research Adware Research Greynets Research Spyware Research Technical News Round Up Social Networking Spam The Mail Bag Tips and Tricks Travel Videogames Worms

Monthly Blog Archives
May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006

Links
FaceTime VitalSecurity Revenews XBlock

Subscribe
Subscribe to this blog's feed

About the Blog
About SpywareGuide Greynets Blog

Link to Us
Link to SpywareGuide.com

« Bubbles...For Kids! | Main | Security Monitor Spam Continues »

JT.Moonwalk Dances Onto An MSN Client Near You

Sometimes we obtain files and they just sit there, doing nothing. Here's a case where we went back for a second look and lots of IRC activity eventually kicked into life. This particular infection takes place as follows:

1) The bad guys infect your PC with an initial infection link, dropping you into a Botnet.

http://blog.spywareguide.com/upload/2007/09/insidejtworm-thumb.jpg

Click to Enlarge

2) The Botnet is fired up periodically and they deposit a collection of Zipfiles (each containing more infections) onto your PC.

http://blog.spywareguide.com/upload/2007/09/zipstorage1-thumb.jpg

Click to Enlarge

3) Infection commands are then sent via IRC to tell the infected PC to send your contacts infection links to the Zipfiles stored in your Windows directory.

http://blog.spywareguide.com/upload/2007/09/msnjt_replacement-thumb.jpg

Click to Enlarge

Some of the infection messages include

"Look at my new dancing movie"

"Look at me doing the moonwalk!!"

"Look what I found, more nude pictures of Justin Timberlake!"

We detect this (naturally enough) as JT.Moonwalk.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Posted by Paperghost on September 20, 2007 09:53 AM | Permalink

TrackBack

TrackBack URL for this entry:
http://blog.spywareguide.com/mt/mt-tb.cgi/216

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds | Link To Us | SpywareGuide Japan

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.