Skip navigation.
Home

Yet another MSN worm...

So, i log on my computer this evening, and i get spammed with MSN messages like this:

"lol check http ://www. uglyphotos. net /photo223. PIF" url splitted for your safety ;)

I've added this to the database:
MD5SUM: aae98749a6d2cb23c3eba83a794f9edf
SHA1SUM: 8a39f2c7f954110227a753816f634d5359e5a349
SHA256SUM: 7dba761a6af4bbc18381d50c158470540f87e6a2aeefca6db18c10d8b3e6c8f2

I download the file and run it through virustotal.com and jotti's virusscanner, only a few Antivirus programs detect this thing, so i decide to take a look at is.

I boot up Vmware and load my Windows XP Malware Analyzer Image, turn on ethereal, filemon, regmon and the usual tools for checking what's happening on a computer.

Within a few seconds i have over 50 Internet Explorer popups, 3 different programs are installed that warns my about my computer being at risk with all the spyware that has infected it.

"Technical details" please note, it's late here and i'm tired atm ;)

The PIF file it self is a downloader/seeder that connects to uglyphotos.net url and downloads a ton of files and run them, while doing this it tries to send the link to everyone on the MSN messenger.

After this it is hard to see what program downloads what (in ethereal, and i dont have time, nor do i feel like disassembling all the programs downloaded), but a quick scan with F-secure's online scanner says that the system is infeted with 37 virusses and 20 spyware, that's pretty fast, after 10 minutes of online activity it downloaded over 10 Mb.

Anyways, just a little story before bedtime, spelling/grammar errors are free today ;)

Thanks for the upload :)

Thanks for the upload :)

I see what you mean , it

I see what you mean , it drops these files when its runs and the dollarrevenue file just keeps downloading more and more :)

h**p://www.uglyphotos.net/sprY.exe
h**p://www.uglyphotos.net/alfa.exe
h**p://www.uglyphotos.net/Xinstall.exe
h**p://promo.dollarrevenue.com/webmasterexe/drsmartload1135a.exe