Skip navigation.
Home

New Licat (MSN Worm)

Another MSN worm in on the loose here, message from MSN:

---------------------------------------------------------
XXXXX@msn.com says:
lol check hxxp://peopleonline.pe.funpic.de/ photo942.PIF
---------------------------------------------------------

Basicly it does the same stuff as the previous, it tries to download and install some spyware, sends the link to all contacts msn messenger, messes up the itnernet explorer settings.

File:
MD5SUM: 45c4287190a84ce6124324627da8c8bb
SHA1SUM: 0759f814e6080fa0a67752b31fe35d15003b5aa7
SHA256SUM: 5195e686421c0f7da14a5f0b6f40478c775245fe4c065918bbb3d4f984fb0f5b

It downloads:
hxxp://www.uglyphotos.net/sprT.exe
hxxp://www.uglyphotos.net/alpha.exe
hxxp://www.uglyphotos.net/Xinstall.exe
hxxp://propromo.dollarrevenue.com/bundle/drsmartload.exe

And opens this in Internet Explorer:
hxxp://www.uglyphotos.net/install.html

I didn't upload the files it downloads to the virus database, because it's spyware stuff :)

>hxxp://peopleonline.pe.funpi

>hxxp://peopleonline.pe.funpic.de/ photo942.PIF
>Basicly it does the same stuff as the previous
Yes, the address comes from sprT.exe which is (iirc) downloaded by the previous worm :)

thanks for the post

awesome. also feel free to add spyware too, we dont discriminate.

V.

Worm Removal

Can you please advise how a novice can get rid of this worm. Delila

I took a glance at the main

I took a glance at the main file only but from what I remember you can try to follow this steps:

you are infected if the size of msgs.exe is not equal to the size of msnmsgr.exe, msnmsgr.exe is really small; in this case you can look for the files suggested by Drean: sprT.exe, alpha.exe, Xinstall.exe, drsmartload.exe. I'm almost sure the name of the first file is not always the same; I think the 4° letter is random. If they are running kill these processes.
Kill msnmsgr.exe (which is the worm...), delete it and make a copy of msgs.exe renaming to msnmsgr.exe.

You should have solved the problem; someone who did a deeper analysis can confirm it?

Yes...

That sound correct, also, remember to reset the Internet Explorer settings, because the worm changes them so every website can execute code on your system.

Also, since the worm install a shitload of spyware, so you should run a few tools that can detect and remove spyware and virus, tools like ewido, drweb cureit and superantispyware.