MSN infections

Discussion in 'NOD32 version 2 Forum' started by 'G', Dec 21, 2007.

Thread Status:
Not open for further replies.
  1. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Is NOD32 not meant to be able to detect and disinfect the infections that go around on MSN.

    My neighbour has been using the latest version of MSN and she clicked on one of the messages, as it seemed genuine from a friend.

    So I go round their, clean all the temp and junk, disable System Restore, insure NOD32 has the latest version and def file and it detects nothing. Even so MSN is still knocking out the rubbish about "what do you think about my eyes", "I have your pict do ya want me to upload it to Myspace (or FreeSpace)”.

    A friend of mine’s daughter gets the photo rar archive files a great deal. I never used MSN so asked her what MSN looked like and why every one used it over my preferred instant messaging platform Trillian. So she did and within 5 mins we had the potential of 5+ infections.

    I dragged one over to the Desktop and scanned it with F-Secure Antivirus Client V7 (latest version and updates) and it found nothing too.

    Are these types of infection undected by NOD32 and other AV programs for a reason. They shouldn’t because they are a real pain for the user who is constantly infecting users if they try and use it, so they cannot use it any more, until I can get them over to Trillian.

    I input please.
     
  2. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    A friend of mine has Avast installed on his computer. He was infected with the "MSN" virus (actually a couple of trojans and a keylogger). Avast detected the infection after the fact but couldn't clean it. I downloaded the Nod32 online scanner and it cleaned it up pretty well. Of course had to delete all system restore files, and finished the clean up using Superantispyware.
     
  3. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Ok the person concerned deleted the file before I got there.

    Once I got on the system I disabled SR. The problem is she hasn't accepted anymore since and the MSN infection messages are still going out.

    It didn’t pick the infection up though because if it had NOD32 V2.7 would have emailed me as I have it set up to let me know so I can sort it out ASAFP.

    Thanks for your help. I’m going to go round there now and scan it with CounterSpy.
     
  4. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Well I have scanned their system with CounterSpy latest version and latest def update and this is what it has found that ESET NOD32 V2.7 (latest version and def update) could not.

    CS tates that there is an infection that did start on Windows boot called:

    Trojan.Win32.Agent.dld

    I have the file here.

    My version of NOD32 V2.7 will not detect it but CS will.

    ~VirusTotal results removed per Policy. Submit file to ESET. - Ron~
     
    Last edited by a moderator: Dec 22, 2007
  5. richo

    richo Registered Member

    Joined:
    Jul 15, 2005
    Posts:
    73
    There has been a a large number of viruses sent by MSN lately. I first was sent one 2 weeks ago. I found it interesting comparing the detection of some of these files over a several day period by various antivirus programs via Jotti's. Many antivirus products seemed to take many days to detect the malware, and NOD32 was not very fast in adding detection. The heuristics didn't pick up on it either. The files were obviously suspicious, and it highlights that you cannot solely rely on any antivirus, but must use a fair bit of common sense.
     
  6. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    My best mate’s eldest daughter uses it and I was joking that I could password retrieve every MSN account she had for it within a minute (and I can). So she opened MSN up.

    But I asked her seriously if I could have a look at MSN executed, as I wanted to understand what all the fuss (the reason why people like or use it so much). So she opened it and within 5 mins she has potentially 5-6 infections. I couldn’t believe how easy it is for kids and people not in the know to use something that could exploit there otherwise sound system and a secure one. I carefully accepted the attachment, dragged it on to the desktop and scanned it with the latest version of F-Secure Anti-virus Client V7+ and latest def version. It failed to detect it. Now if an AV prog that uses the Kaspersky virus database cannot detect it it may say to the user that the attachment is ok – wrong.

    So I went back to my neighbours and explained that I was amazed that MSN was a Trojan magnet, which it is. I strongly recommended that they switch over to Trillian.

    This is what they are all going to do. The odd thing is, Trillian will import the contacts from MSN, but Trillian will not go online and the contacts are orphaned. This has happened twice to me.

    If must have something to do with MSN being on the machine at the same time. So I’m going to use a plug-in to backup MSN contacts and settings, and uninstall it. Reboot and see if Trillian will work then. If not I can restore MSN within minutes – contacts and settings.

    Why people are using rubbish like these single instant messaging platforms is beyond me.

    Infections across MSN alone must be growing at a geometric rate.

    So it is not just NOD32 that is behind, many AV prog devs are also. How can they keep up?

    My advice is to dump MSN in particular but also any single platform instant messaging program and move to Trillian Basic, which is free.

    A multi-layed approach is best but as you say common sense rules.

    I wonder how ESET's anti-malware engine got on with these infections that CounterSpy was able to detect and remove.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    While I agree that MSN is a piece of crap, most infections come from clicking on random links and/or downloading/accepting files from trusted peers (which are already infected) and not from flaws in the application itself. So, switching to a different IM client isn't going to help much.
     
  8. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    I take your point and I also explain this to family, friends and clients.

    But I would hazard a guess that less informed users are using MSN etc and are likely for full the trick of a file that says "look at my eyes" if it is coming from a trusted friend".

    Trillian does not allow this. Everything must be sent by the user and is not automatically sent like MSN. However, a MSN settings may eliminate this problem too.

    Regardless, MSN is a clear and present threat to an otherwise sound and secure system.

    Use MSN and fool for the tricks that pop up continuously and all bets are off with regards to system security.

    I would advice anyone reading this to convince users to move to Trillian Basic, which is free and multi-platform.
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Another options:
    - Run the IM with restricted rights using StripMyRights, so the IM app (and all the objects received throu it) will be locked out of the core of the OS.
    - Run the IM sandboxed using Sandboxie, so all the objects created by the sandboxed app will be redirected to a virtual container and dumped later.
     
  10. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Thanks for the extra info.

    I submitted the file but it is still undetected.
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Well, we all know that ESET is slow at adding user-submited malware, so wait and relax.
     
  12. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    So it would seem even though their are a lot of MSN users getting caught over the festive period.
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Not only MSN users :) Such stupid tricks fool a large amount of people.
     
Thread Status:
Not open for further replies.