When IRCBots spread through MSN

During the last couple of days there was an outbreak of a new worm with backdoor functionality. It propagates via MSN Messenger with the following messages:

• Here are my very secret pictures for you.
• Here are my pictures from my vacation
• hmm is this you on the photo ?
• Check out my pics from my workplace.
• Nice new photos of me and my friends and stuff...
• ahh look this is my greatest picture made on vacation 2007, take a look
• Check out my nice photo album. :D
• hey regarde les tof de notre bande de fous. :p
• hey c'est toi dans ces tof!!???
• hey regarde les tof, c'est moi et mes copains entrain de.... :D
• j'ai fais pour toi cet album de photos tu dois le voire :p
• stp regarde cet album de photos je lai fais specialement pour toi et mes amis...
• mes photos chaudes :D
• t'as pas encore vu ces tof???
• hey kijk eens naar mijn nieuwe foto album
• hey bekijk eens mijn nieuwe foto album
• hmm ben jij dit op de foto ?
• hey kijk ! dit is een lijst van mijn nieuwste fotos !!
• ahh kijk mijn mooiste foto album van vakantie 2007 bekijk ze eens :p
• kijk dit zijn fotos van mij werkplek! :)
• hmm ben jij dit op de foto ?
• meine heißen ¯en Fotos ! :p
• le mie foto calde :p
• mis fotos calientes
• mi fotografìas :p
• Mi amigo tom
• las fotos agradables de mí :p
• mis fotos calientes
• el lol mi hermana quisiera que le enviara este álbum de foto

The filename is called myalbum2007.zip. After being unpacked, the file photo album-2007.scr is the dropper used to install sysprinters.dll, which contains some IRC backdoor features.

Myalbum2007 is dropped into Windows main directory, whilst sysprinters.dll is dropped into Windows system32 directory.

Sysprinters.dll is installed as CLSID and it's loaded at system startup using the registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
with value "system32". The malware tries to connect to a server on "www.free4people.net".

Both sysprinters.dll and photo album-2007.scr are detected as Backdoor.IRCBot.gen by Prevx, and up to date 129 users within our userbase have seen this file.

Be careful as to what files you accept, and if in doubt ask the contact if they have sent you the file

Remember – even though you have added someone to your MSN contact list – If they get infected with this threat they will automatically send you the infection. Be careful as to what files you accept, and if in doubt ask the contact if they have sent you the file, especially in the case of myalbum2007.zip. In most cases IM Worms send files to all your contacts in the background, so you won't be able to see these files being sent.

On a side note coming from the lab: we've seen a new rootkit spreading lately, called by some antivirus companies as Srizbi. It uses some nice tricks to hide itself from the user. It hooks NTFS file system driver and some SSDT functions. But, instead of modifying SSDT address pointers (a widely used technique), it makes inline hooks inside ntoskrnl.exe, adding a jump to the rootkit driver on the first bytes of the functions hooked.

This way all antirootkits that check only SSDT address pointers are bypassed. A nice situation to test our new antirootkit scanner we're developing. Even here, our rootkit scanner worked a charm, detecting the rootkit.

Our rootkit scanner (which will be replacing the Anti-Rootkit already included in Prevx 2.0) is using a "new approach" to detect rootkits, and so far has performed really well through a set of internal tests. We’re busy writing an article about it for the blog at present – stay tuned!