Worms: November 2007 Archives

NextDoor Worm Spreads across MSN

| | Comments (0)

There is a lot of talk out there in the Ether about worms that are spreading through MSN clients and adding unsuspecting users to their botnet. These kinds of attacks are among the most dangerous, and pose a very real security threat. It doesn't take much of an imagination to think that these attackers will DDoS attack their enemies. There are dozens of these kinds of worms floating out there however. FSL recently uncovered one we dub, NextDoor. Like the other worms of its kind, once it is on the infected PC it will attempt to contact all contacts in order to infect more users. The difference in these worms is what they do to the victim after they have been attacked. Some will simply show advertisements or a wide variety of porn; others tend to log keystrokes of the victim in order to learn very sensitive information like passwords or credit card information. NextDoor installs a dialer (called Carlson Dialer) onto the victim's PC to make long distance calls.

First you will see a suspicious looking message with a .zip attachment.

http://blog.spywareguide.com/upload/2007/11/chat-thumb.PNG
Party_jpg.zip contains www.Party_jpg_Msn.com.

Of course your involvement after this step isn't necessary. From here the worm commences with its attack.

http://blog.spywareguide.com/upload/2007/11/IRC-thumb.PNG
NextDoor creates a connection to an IRC channel and begins to pull down infected files using FTP.

Now we see what has been installed onto the victim's machine.

http://blog.spywareguide.com/upload/2007/11/cdrive-thumb.PNG
The file with the ominous looking icon is the dialer that is installed by this worm.

http://blog.spywareguide.com/upload/2007/11/windows-thumb.PNG
The actual MSN worm is stored in the Windows Directory.

http://blog.spywareguide.com/upload/2007/11/sys32-thumb.PNG
These 2 files are involved in setting up an FTP connection with the attacker.

Now that your computer is entirely infected, Carlson Dialer begins its main function.

http://blog.spywareguide.com/upload/2007/11/call-thumb.PNG
It geographically finds the victim's IP address and associates it with a country code.

This is what it would look like in a regular browser...

http://blog.spywareguide.com/upload/2007/11/dialer-thumb.PNG

To get an idea of how recently this worm was updated...

http://blog.spywareguide.com/upload/2007/11/end-thumb.PNG
The infection that FSL came across first has been around his Nov. 26 2007.

Those aren't normal .jpgs either. Those are dialers that use the JPG vulnerability.
http://blog.spywareguide.com/upload/2007/11/picture-thumb.PNG
Each .jpg file on the attacker's site uses the JPG vulnerability.

Facetime currently protects against this threat as well as the dialers it installs.

About this Archive

This page is a archive of entries in the Worms category from November 2007.

Worms: September 2007 is the previous archive.

Worms: January 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.