MSNMaker/WinMaker

Discussion in 'malware problems & news' started by phasechange, Oct 20, 2006.

Thread Status:
Not open for further replies.
  1. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    Hi!


    Six People on my messenger list have spammed me today and are infected with this:

    AntiVir Found Backdoor-Server/MSNMaker.W.9 backdoor
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found Trojan.MSNMaker
    Dr.Web Found BackDoor.Oscar
    F-Prot Antivirus Found nothing
    Fortinet Found W32/MSNMaker.W!tr.bdr
    Kaspersky Anti-Virus Found Backdoor.Win32.MSNMaker.w
    NOD32 Found a variant of Win32/MSNMaker
    Norman Virus Control Found nothing
    VirusBuster Found nothing


    I cannot believe so many of them clicked on it. Agreeing to open a PIF too. Worse still they are spamming me but don't believe they are infected as Symantec finds nothing.... arghhH!


    Anyone know how this backdoor works? Our security people reckon it's easy to get rid of (I'm not infected) but I'm curious to know what sort of backdoor functionality it provides.

    Fairy
     
    phasechange, Oct 20, 2006
    #1
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    This seems to be a relatively new virus, those AVs that catch it must be relying on heuristics at the moment.
    Google searches using the various names the different AV scanners give the virus turn up negative.

    My guess is it:
    -connects to a remote server to download some files
    -establishes network connections and phones home
    -rootkit functionality (perhaps?,maybe) included in the package, allows attacker to hide most processes, files, registry settings, invisible processes in task manager.

    These are only guesses and predictions as to what this IM virus may be like.

    According to your talking of some PIF file, this may be it:
    http://filext.com/detaillist.php?extdetail=PIF

    The attack scenario I visualise is this:
    -Hacker sends unknown file to some victims, click on file and opens it triggering the execution code. Virus starts to spread.
    -IM programs, virus multiplies by mass spamming all those found on contacts list.
    -Could be a 0-day attack in progress.
     
    Last edited: Oct 20, 2006
    nadirah, Oct 20, 2006
    #2
  3. dog

    dog Guest

    dog, Oct 20, 2006
    #3
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    nadirah, Oct 20, 2006
    #4
  5. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    The PIF is called Photo656.pif and is hosted on photogbase dot com which we have blocked on our firewall.
     
    phasechange, Oct 20, 2006
    #5
  6. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    "is that u on that photo :eek: <link>" is the message it spams to messenger
     
    phasechange, Oct 20, 2006
    #6
  7. dog

    dog Guest

    That'd get someone to click it. ;) Social Engineering at it finest. :(
     
    dog, Oct 20, 2006
    #7
  8. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    I had to respect the quality of the social engineering even though I loath for the creator of this.
     
    phasechange, Oct 22, 2006
    #8
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...