Fake msmsgs.exe creating .pnf files?

Discussion in 'malware problems & news' started by nil, Aug 23, 2005.

Thread Status:
Not open for further replies.
  1. nil

    nil Registered Member

    Joined:
    Aug 23, 2005
    Posts:
    2
    Location:
    Perth, W. Australia
    Hi all.

    I noticed "msmsgs.exe" running as a task during a recent net session which rang alarm bells as I don't have messenger installed on my system (Win98SE). A further check showed the following registry entries had been changed:

    RegSvr32 C:\WINDOWS\SYSTEM\msmsgs.exe Machine Run
    Shell Explorer.exe, msmsgs.exe Machine Shell Value
    Notepad.exe msmsgs.exe Machine Policies

    and that a PNF (precompiled INF file?) had been created for every .inf file in %windir%\INF (all shared the same datestamp as msmsgs.exe so I suspect they were generated as part of the infection process).

    Spybot-SD subsequently detected "Smitfraud-C" though my system had none of the problems reported to be associated with that exploit, and while a net search for msmsgs.exe found info on many different trogams/worms/viruses known to use that filename (Trojan.Zlob.B, Agobot-Nl worm, ZHOPA trojan, W32.HLLW.Spirit, W32.Alcarys.B,..., many of which make reg entries similar to the above) I could find no reference to any exploit creating .pnf files like this one seems to.

    I let SpyBot do it's thing and deleted msmsgs.exe and the pnf files and so far all's looking well (though maybe it was msmsgs' installer that dumped all those unicode fonts on my system... :)).

    Just in case it's of help to someone here's some info on the file in question:

    Type: Malware (Trojan)
    File: msmsgs.exe
    Size: 5,497 bytes
    MD5: 7d14af46a822f1bdcfa36f19c5fe5571.

    Happy hunting!
     
    Last edited: Aug 24, 2005
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  3. nil

    nil Registered Member

    Joined:
    Aug 23, 2005
    Posts:
    2
    Location:
    Perth, W. Australia
    Hi there TopperID. Cheers for the reply.

    If you're refering to the default path for the REAL msmsgs.exe (Windows Messenger) then you're spot on - the fact that the fake attempts to load itself from %system% (%windir%\system on Win9x systems) is a dead giveaway.

    I never doubted that the msmsgs.exe file I had was malware though what was frustrating my efforts to track down the specific type (in the hope that it would help me to learn where it came from) was the lack of size/checksum information to be had for known "suspect" versions of msmsgs.exe. For example, of all the information given on the pages you linked (much appreciated by the way) the best that I could ascertain was that the file I had *wasn't* the Trojan.Zlob.B strain - that simply because Symantec listed the size of the infected file.

    Anyhow, after posting I learned of Jotti's malware scanner (http://virusscan.jotti.org/), so I uploaded the file and here's what it returned:

    File: msmsgs.exe
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    MD5 7d14af46a822f1bdcfa36f19c5fe5571
    Packers detected: FSG

    Scanner results
    AntiVir Found TR/Dldr.Zlob.AH
    ArcaVir Found Trojan.Downloader.Zlob.Ah
    Avast Found Win32:Zlob-L
    AVG Antivirus Found Downloader.Zlob.CD
    BitDefender Found BehavesLike:Win32.ExplorerHijack (probable variant)
    ClamAV Found nothing
    Dr.Web Found Trojan.DownLoader.3841
    F-Prot Antivirus Found nothing
    Fortinet Found W32/Zlob.AH-dldr
    Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Zlob.ah
    NOD32 Found Win32/TrojanDownloader.Zlob.G
    Norman Virus Control Found W32/Zlob.S
    UNA Found nothing
    VBA32 Found Trojan-Downloader.Win32.Zlob.ah

    I know that absence of evidence isn't evidence of absence but being a known file I imagine that something would've already been written up about it's ability to create .pnf files if it actually could, which helps confirm my initial thought that the pnf files were created by whatever installed msmsgs.exe rather than by msmsgs.exe itself (msmsgs.exe was created first so there was some doubt involved).

    So sorry (and joy!) folks but false alarm about a potential new strain of trojan.


    LOL. I tried that once but found trying to crawl down my phone line a real bugger :D

    Thanks for those links but I prefer not to go online - for any reason - if I suspect there's active malware on my system, and I think it's madness to relax internet security settings (as required by most online scanners) just to double-check the work of my offline scanners.

    Cheers again.
     
    Last edited: Aug 24, 2005
Loading...
Thread Status:
Not open for further replies.