Worms: May 2008 Archives

MSNAgent attempts to hide from security analysts

| | Comments (0)

Recently I came across a threat facing MSN messenger users that employs extremely devious means of infection.  The actual executable for this MSN worm is hidden in a .jpg file.

 

picture.PNG

The reason there is no preview available is that this isn't a picture, but executable code in the guise of a picture file.

 

The thing that makes this so interesting is the length at which the attacker is willing to go in order to hide themselves from detection of commonly used security applications.  Only by using certain tools can you see the threat running behind the scenes.  Here you can see an ominously almost legitimate application running called "MSNAgent".

 

txtfile.PNG

MSN Agent starts up when the computer boots up.

 

MSNAgent has the ability to connect to a remote server for the purposes of stealing your MSN username and password.  The file "gf1008.exe" is originally saved in the Temporary Internet Files to avoid too much suspicion.  Its on the Desktop in this example for the purposes of testing. 

 

autostart.PNG

This is shown to the user whenever the computer is restarted.

 

Taking a closer look at gf1008.exe shows you the following:

bintext.PNG

You can see here that this file is directly related to the autostart value "MSNAgent".  It also shows us that it's trying to make a connection to a remote server as well as get the user to change their password presuming for the purpose of phishing the user.

 

 

Attempting to find this threat running with other free security apps might be a problem.

 

Hijackthis:

 


Thumbnail image for hijackthis.PNG

 

Regcrawler:


Thumbnail image for regedit.PNG

MSNAgent can't be found in the registry through traditional means either.

 

Hijackthis is one of the common security applications used to verify if there is an infection when users try to get help from other users on a forum.  Most of the time, Hijackthis is the first step when trying to find the threat.

 

Never fear though.  We detect this threat as MSNAgent.  Using our Microscanner should reveal if you are currently under surveillance.



About this Archive

This page is a archive of entries in the Worms category from May 2008.

Worms: January 2008 is the previous archive.

Worms: June 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.