Wednesday, June 27, 2007

Warning: Undetected MSN messenger worm - pic901.com

Hopefully I won't get flagged for this, but it's my duty to warn people about the presence of living or computer virus.

Looking for a sexy 'behind'? Well not here! This is a VIRUS REPORT! The program is NOT DETECTED YET (check out the virustotal.com screenshot) at the time of writing!
likemyass.net (active)
ratethisphoto.net (purged)
ratethisface.net (purged)

I've discovered this while I was checking some links gathered with the help of an eggdrop script of mine
mwrouin-m-!~info@business-67-35.netway.com.cy MSG!#cyprus
hey check :O http://www.likemyass.net/.......

(....... have replaced the filename)
This malware is undetected by most antivirus at the time of writing, so watch it: likemyass.net = BAD

The dude above is not the spammer. The malware somehow is spammed through IRC instead of MSN. This malware/trojan/virus/worm/bad exe, whatever you might want to call it, is spreading around replacing the MSN executable.
Some of my friends believe that this is the 'new' Virtumonde. It might just use its registry keys, but the MSN spamming is a whole new thing I guess!

UPDATE: The website is now down!
UPDATE 2: The website has changed to http://la.gg/UPL/PIC901.COM (but it was down when I was notified)
UPDATE 3: Solutions 1) Vundofix 2) VundoBeGone 3) Uninstall,restart and reinstall MSN Messenger from here: http://g.msn.com/8reen_us/EN/INSTALL_MSN_MESSENGER_DL.EXE
4) Try out one of my generic cleaners, cwean pack: www.erroneous.name

You are encouraged to download the executable and upload it to www.virustotal.com or www.uploadmalware.com

More info about the lil' buger at the Kaspersky's website

4 comments:

Unknown said...

It seems it has switched servers

http://la.gg/UPL/PIC901.COM

Unknown said...

I just received it from this server too.

Unknown said...

By the time I looked at it, it was already down. If you have downloaded the executable please pass it to VirusTotal.com or UploadMalware.com so the big antivirus companies can have their sources updated :)

Anonymous said...

um, i just got a notification from likemyass.net the server isnt down any more!