Worms: January 2008 Archives

An MSN Worm appears to be in the wild which retains some of the functionality of a worm mentioned here, but with some additional features (such as sending spam, for example).

Initially, it sends the victim a message regarding Myspace (in our testing, this was the only message it sent, unlike the worm linked above which had numerous options to choose from):

http://blog.spywareguide.com/upload/2008/01/dumb_in_picture_msn1-thumb.jpg
Click to Enlarge

Before you know it, you'll be sending lots and lots of spam - I hope your friends are looking for high quality luxury watches:

http://blog.spywareguide.com/upload/2008/01/dumb_in_picture_msn2-thumb.jpg
Click to Enlarge

Finally, the payload drops a file onto the computer that attempts to execute remote code - it seems they're attempting to exploit victims with this.

Here's the (randomly named) file in question that causes this, deposited into your System32 Directory:

http://blog.spywareguide.com/upload/2008/01/dumb_in_picture_msn3-thumb.jpg
Click to Enlarge

We detect this as MN.Spooler.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

About this Archive

This page is a archive of entries in the Worms category from January 2008.

Worms: November 2007 is the previous archive.

Worms: May 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.