Prevx Blog

Jul 31st

IRCBot's spreading again on MSN

Posted by: Marco Giuliani

Bookmark Now

We're recieving a lot of reports of a new variant of the MSN worm we posted some weeks ago. It propagates via MSN as a packed file with one of these sentences:

  • Regarde les tof de mes vacances en tunisie loool
  • Mira cómo Paris Hilton es perdida después de ser encarcelada :(
  • Guarda come Paris Hilton sprecato è, dopo che era imprijonata :(
  • Kijk hoe erg Paris Hilton er aan toe is na gevangenschap :(
  • kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :(
  • Kolla hur förstörd Paris Hilton är, efter att hon fängslades :(
  • bak sana Paris Hilton ne hale gelmis hapiste :(
  • Lede hvor spild Paris Hilton er efter hun fik fængsel :(
  • Veja como Paris Hilton está acabada depois de ter sido presa :(
  • guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist :(
  • Hey please look at me and my pet .. :p
  • Toi et moi !!! .... regarde :p
  • Usted e yo !!! .... Mira :p
  • Tu ed io !!! .... guarda :p
  • Jij en Ik !!!! .... kijk :p
  • NI HE WO !!! .... QING KAN :p
  • Du och jag !! .... Kolla ;)
  • Sen ve Ben !!! .... BAK :p
  • Jer og Mig !!! ... se :p
  • Você e eu !!!! .... Veja :p
  • du und ich !!! ....guck :p
  • Looking for hot summer pictures ? well here they are !! (h)
  • hey stp regarde mes tof !
  • Mira mis fotos jejeje :p
  • Guardi le mie foto hihi :p
  • Kijk eens naar mijn fotos hihi :p
  • KAN WO DE ZHAOPIAN :p
  • Kolla på min bilder, hihi :p
  • Baksana benim fotograflara hihi :p
  • Se på min fotos :p
  • Veja as minhas fotos hehehe :p
  • siehe meine fotos hihi :p
  • Look at me and my volleyball team, working our asses offff (h)
  • Hey s'il te plait accepte mes photos :o !!
  • Ha aceptado mis fotos por favor :o !!
  • Mairee photos accept karo :o !!
  • HEY !! accepteer mn fotos dan !
  • JIESHOU WO DE ZHAO PIAN :o !!
  • Hey, acceptera mina bilder, snälla :o
  • Hey benim fotolarimi kabul et :o !!
  • Hej behage optage min foto :o !!
  • Por favor aceite as minhas fotos :o !!
  • hey bitte nimm meine fotos an :o !!
  • Hey please look at me and my pet .. :p
  • Une tof de moi et ...:$ !!
  • Una foto con mi mejor amigo e yo :$ !!
  • Una foto con me ed il mio amico migliore :$ !!
  • met mijn beste vriend op de foto !! :$
  • YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
  • En bild på mig och min bästa vän :$ !!!
  • Iyi arkadasimla fotorafdayim :$ !!
  • EN foto hos mig og min bedst ven :$ !!
  • Uma foto com o meu melhor amigo e eu :$ !!
  • ein foto mit meinem besten freund und mir :$ !!
  • Psssssst .... just between me and you, please accept :$
  • Une tof de moi et ...:$ !!
  • Esta soy yo totalmente desnuda :o por favor no envía para nadie
  • Questa e me totaly nudo :o prego non trasmette a chiunque
  • Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
  • ZHE SHI WO DE LUOZHAO :o QING BU YAO FA GEI BIEREN !!
  • Detta är jag HELT naken.. :o Skicka inte till någon annan, snälla...
  • benim bu ciplak fotoda :o ama baskasina yollama
  • denne er mig hele bar behage vage vendlig og sende den ikk til nogle :o
  • Esta sou eu totalmente nua :o por favor não mande isso pra ninguém'
  • das bin ich total nackt :o bitte sende es niemand anderem
  • This is me totaly naked :o please dont send to anyone else

The file can be called photo_album[number], photos2007_[number], images[number], photo[number], album[number]. The executable is packed with the NTKrnl packer.

After its executed, it copies itself under the Windows directory as msn.exe and creates a dll called LIBCINTLES3.DLL (some variants are called LIBCINTLE2.DLL)

The dll is added into the registry as CLSID and under

HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\

With key "printers" and value [CLSID created before].

The dll created has IRC backdoor functionality, connecting to an IRC server john.free4people.net and waiting for commands.

This malware is spreading quite quickly through MSN contacts and we strongly encourage you to be careful when accepting MSN file transfers. As we already hinted in our last blog about this malware, if in doubt ask the contact if they have sent you the file.. In most cases IM Worms send files to all your contacts in the background, so you won't be able to see these files being sent.

We already detect this threat as Backdoor.Ircbot.gen since the beginning of spread.

0 comments so far

Leave a reply








Yearly Archives

Stay Updated

YouTube Channel

Find us on Facebook