Prevx Blog

Aug 8th

IRCBot rapidly spreading on MSN

Posted by: Marco Giuliani

Bookmark Now

The last blog we did was about an IRCBot that was spreading through MSN. This strain of malware has got our attention because of the level of activity surrounding it. They are releasing new variants really quickly, changing IRC servers on every variant.

What's worse is that a lot of people got infected with this malware. Let's make a summary of all variants we've seen.

The malware can come through MSN with one of these messages:

  • Regarde les tof de mes vacances en tunisie loool
  • Mira cómo Paris Hilton es perdida después de ser encarcelada :(
  • Guarda come Paris Hilton sprecato è, dopo che era imprijonata :(
  • Kijk hoe erg Paris Hilton er aan toe is na gevangenschap :(
  • kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :(
  • Kolla hur förstörd Paris Hilton är, efter att hon fängslades :(
  • bak sana Paris Hilton ne hale gelmis hapiste :(
  • Lede hvor spild Paris Hilton er efter hun fik fængsel :(
  • Veja como Paris Hilton está acabada depois de ter sido presa :(
  • guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist :(
  • Hey please look at me and my pet .. :p
  • Toi et moi !!! .... regarde :p
  • Usted e yo !!! .... Mira :p
  • Tu ed io !!! .... guarda :p
  • Jij en Ik !!!! .... kijk :p
  • NI HE WO !!! .... QING KAN :p
  • Du och jag !! .... Kolla ;)
  • Sen ve Ben !!! .... BAK :p
  • Jer og Mig !!! ... se :p
  • Você e eu !!!! .... Veja :p
  • du und ich !!! ....guck :p
  • Looking for hot summer pictures ? well here they are !! (h)
  • hey stp regarde mes tof !
  • Mira mis fotos jejeje :p
  • Guardi le mie foto hihi :p
  • Kijk eens naar mijn fotos hihi :p
  • KAN WO DE ZHAOPIAN :p
  • Kolla på min bilder, hihi :p
  • Baksana benim fotograflara hihi :p
  • Se på min fotos :p
  • Veja as minhas fotos hehehe :p
  • siehe meine fotos hihi :p
  • Look at me and my volleyball team, working our asses offff (h)
  • Hey s'il te plait accepte mes photos :o !!
  • Ha aceptado mis fotos por favor :o !!
  • Mairee photos accept karo :o !!
  • HEY !! accepteer mn fotos dan !
  • JIESHOU WO DE ZHAO PIAN :o !!
  • Hey, acceptera mina bilder, snälla :o
  • Hey benim fotolarimi kabul et :o !!
  • Hej behage optage min foto :o !!
  • Por favor aceite as minhas fotos :o !!
  • hey bitte nimm meine fotos an :o !!
  • Hey please look at me and my pet .. :p
  • Une tof de moi et ...:$ !!
  • Una foto con mi mejor amigo e yo :$ !!
  • Una foto con me ed il mio amico migliore :$ !!
  • met mijn beste vriend op de foto !! :$
  • YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
  • En bild på mig och min bästa vän :$ !!!
  • Iyi arkadasimla fotorafdayim :$ !!
  • EN foto hos mig og min bedst ven :$ !!
  • Uma foto com o meu melhor amigo e eu :$ !!
  • ein foto mit meinem besten freund und mir :$ !!
  • Psssssst .... just between me and you, please accept :$
  • Une tof de moi et ...:$ !!
  • Esta soy yo totalmente desnuda :o por favor no envía para nadie
  • Questa e me totaly nudo :o prego non trasmette a chiunque
  • Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
  • ZHE SHI WO DE LUOZHAO :o QING BU YAO FA GEI BIEREN !!
  • Detta är jag HELT naken.. :o Skicka inte till någon annan, snälla...
  • benim bu ciplak fotoda :o ama baskasina yollama
  • denne er mig hele bar behage vage vendlig og sende den ikk til nogle :o
  • Esta sou eu totalmente nua :o por favor não mande isso pra ninguém'
  • das bin ich total nackt :o bitte sende es niemand anderem
  • This is me totaly naked :o please dont send to anyone else
  • hihi kijk eens naar mijn geile fotos :$
  • hihi look at my horny pictures :$
  • salut! accept mes tofs! (H)
  • ey alles goed ? accepteer het !! (H
  • Sen ve Ben !!! .... BAK :p
  • Jer og Mig !!! ... se :p
  • Você e eu !!!! .... Veja :p
  • hi howdy ? accept it !! (H)
  • T'as pas vu mes tof d'été ?? (B)(D)
  • look at my great summer pictures (B)(D)
  • hey je viens de trouvé tes tof sur net :S
  • ik hou van je, daarom stuur ik je dit !!! :o
  • i love u thats why i send this !!! :o
  • oh mon dieux regarde ca!!
  • oh my god kijk eens naar die foto :o wowwww
  • oh my god look at this picture :o wowwww
  • c moi entrain du boire jus!!
  • C'est moi totalement nu :o s'il te plait ne l'envoie a personne d'autre
  • this is me drinking some juice !!

The file can be called:

  • pictures[numbers]
  • photo_album[numbers]
  • photos2007_[numbers]
  • images[numbers]
  • images0[numbers]
  • photo[numbers]
  • photos0[numbers]
  • album[numbers]
  • itsME[numbers]
  • webcam-photos0[numbers]
  • summer[numbers]

File is packed with NTKrnl packer.

After executed, it may copy itself under Windows System directory as:

  • msninet.exe
  • msn.exe
  • intlprinters.exe
  • printers.exe

And it may create a dll, which is the main infection vector, usually under Windows System directory with one of these names:

  • sysprinters.dll
  • libhelps.dll
  • libmsns.dll
  • libcintle2.dll
  • libcintles3.dll
  • notiffy.dll
  • sysrcvr2.dll
  • sysrcvr246.dll

The DLL is registered as CLSID with random value and it's loaded through registry key:

hklm\software\microsoft\windows\currentversion\shellserviceobjectdelayload\

where CLSID registered by malware is loaded with one of these values:

  • printers
  • drivers
  • system32
  • syshelps

The dynamic library is responsbile for MSN spread and it may connect to a remote IRC server where remote attacker can command infected PC. IRC servers already seen are:

  • www.free4people.net
  • john.free4people.net
  • www.onlinesciencexxx.com
  • games.onlinesciencexxx.com
  • https.easypwn.com

This malware is already detected by Prevx as Backdoor.IRCBot.gen and fully removed. Looking at how quickly the team behind this malware is releasing new variants, we expect more variants to be released this week. So the advice for this week is to make sure you know what you are accepting when you accept file transfers over MSN.

5 comments so far

  1. Sam on Aug 10 0:45, 2007

    2. I recently got this virus. I was half asleep and not thinking straight. as soon as i clicked it i knew i'd just opened a virus. but alas, no use beating myself up about it. I searched on google for the virus using messages my friends had received from me. I came up with your vlog page and have just downloaded and run your program. hopefully it will work. if it does work i'll let you know and tell other ppl who've been affected by it about your product

  2. Sam on Aug 10 21:40, 2007

    3. Ran your program, which immediately informed me I was infected. It subsequently got rid of a file named libmsns.dll, which I notice you have listed on your blog entry as a possible main infection vector. I'm hoping that means that the main way in which the virus is spread has been terminated. So far I have not seen further effects of the virus in regards to its spreading through MSN and I'm hoping it will stay this way. If this is the case I am very grateful to your team for coming up with a solution.

  3. Emma on Aug 14 20:00, 2007

    4. Got this last night... same as the person who left the first comment, tired, multitasking, clicked without thinking....... and then went ARGH.

    I think ive shifted it, trying your product now.

    New filenames to add to your list, 'secretimages(number)' and also 'love(number)'.

  4. AlexM on Aug 13 14:50, 2008

    5. I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you down the road!

  5. Spyware Removal Tips on Nov 18 8:42, 2009

    6. Just wanted to say thank you! for all the great info found on your site, even helped me with my job recently :) keep it up!

Leave a reply








Yearly Archives

Stay Updated

YouTube Channel

Find us on Facebook