NextDoor Worm Spreads across MSN

| | Comments (0)

There is a lot of talk out there in the Ether about worms that are spreading through MSN clients and adding unsuspecting users to their botnet. These kinds of attacks are among the most dangerous, and pose a very real security threat. It doesn't take much of an imagination to think that these attackers will DDoS attack their enemies. There are dozens of these kinds of worms floating out there however. FSL recently uncovered one we dub, NextDoor. Like the other worms of its kind, once it is on the infected PC it will attempt to contact all contacts in order to infect more users. The difference in these worms is what they do to the victim after they have been attacked. Some will simply show advertisements or a wide variety of porn; others tend to log keystrokes of the victim in order to learn very sensitive information like passwords or credit card information. NextDoor installs a dialer (called Carlson Dialer) onto the victim's PC to make long distance calls.

First you will see a suspicious looking message with a .zip attachment. contains

Of course your involvement after this step isn't necessary. From here the worm commences with its attack.
NextDoor creates a connection to an IRC channel and begins to pull down infected files using FTP.

Now we see what has been installed onto the victim's machine.
The file with the ominous looking icon is the dialer that is installed by this worm.
The actual MSN worm is stored in the Windows Directory.
These 2 files are involved in setting up an FTP connection with the attacker.

Now that your computer is entirely infected, Carlson Dialer begins its main function.
It geographically finds the victim's IP address and associates it with a country code.

This is what it would look like in a regular browser...

To get an idea of how recently this worm was updated...
The infection that FSL came across first has been around his Nov. 26 2007.

Those aren't normal .jpgs either. Those are dialers that use the JPG vulnerability.
Each .jpg file on the attacker's site uses the JPG vulnerability.

Facetime currently protects against this threat as well as the dialers it installs.

Leave a comment

About this Entry

This page contains a single entry by Chris Mannon published on November 29, 2007 8:05 AM.

Hotmail / EBay Follow Up was the previous entry in this blog.

Stolen Card Details Posted To Internet Forums is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.