>To: focus-virus (at) securityfocus (dot) com [email concealed]
>From: Mikey <mike_chan_ (at) hotmail (dot) com [email concealed]>
>Subject: MSN Messenger Malware?
>
>Hi all.
>
>I haven't been following the virus scene very closely of late so this may
>be an old one. Still, I wouldn't mind if someone could help me identify if
>it is and if it isn't, bring it to the attention of the proper authorities.
>
>Firstly, a bit about the environment; I am running MSN Messenger
>v6.2.0205. Yesterday, a colleague sent me a message that says this;
>
>[05:29:29 PM] Colleague: its you!
>[05:29:30 PM] Colleague:
> http://hydr0.net/pictures.php?email=email@hotmai
> l.com
>
>I have changed his real alias to "Colleague" and my MSN IM registered
>email address to email (at) hotmail (dot) com [email concealed] for our protection (and yes, its
>different to the one I am using to send this message).
>
>Now, normally, you don't see this kind of message except in spam messages.
>But if you click on that link, it will download and execute an executable
>(on Windows XP SP2, it will ask you about it).
>
>Of course, this is my own trusted colleague who is normally very
>conscientious in keeping viruses and malware out, especially from spam email.
>
>When you let it execute, it installs two files into the C:\Program
>Files\999 directory.
>
>It then executes one of these executables and sends this message to
>EVERYONE on your MSN IM contact list that is NOT offline.
>
>The message is the same as above but the email address is the same one as
>the recipient's email address. For example, the program will send a
>message to Colleague2 who has a registered MSN IM email address is
>"email2 (at) hotmail (dot) com [email concealed]". This message to her (from you) will look like this;
>
>[05:29:29 PM] Colleague2: its you!
>[05:29:30 PM] Colleague2:
> http://hydr0.net/pictures.php?email2=email@hotmai
> l.com
>
>So this epidemic spreads.
>
>The motive? I can only think that the owner of http://hydr0.net is
>collecting email addresses. He or she is using MSN Messenger to
>proliferate this executable to catch users offguard, while collecting more
>email addresses as this message spreads.
>
>The website is still active and there must be a registered domain owner so
>I would be interested to hear if anyone can dig further. ;-)
>
>BTW - I think I have cleaned it out by deleting the C:\Program Files\999
>directory and its files.
>
>Look forward to hear some feedback on whether this is an already
>identified malware or not and where I can find more information on it
>(like its name), if it has already been identified.
>
>
>Cheers,
>
>Michael.
>[05:29:29 PM] Colleague2: its you!
>[05:29:30 PM] Colleague2:
> http://hydr0.net/pictures.php?email=email2@hotmai
> l.com
Thanks to those who have pointed it out.
Cheers,
Michael.
>To: focus-virus (at) securityfocus (dot) com [email concealed]
>From: Mikey <mike_chan_ (at) hotmail (dot) com [email concealed]>
>Subject: MSN Messenger Malware?
>
>Hi all.
>
>I haven't been following the virus scene very closely of late so this may
>be an old one. Still, I wouldn't mind if someone could help me identify if
>it is and if it isn't, bring it to the attention of the proper authorities.
>
>Firstly, a bit about the environment; I am running MSN Messenger
>v6.2.0205. Yesterday, a colleague sent me a message that says this;
>
>[05:29:29 PM] Colleague: its you!
>[05:29:30 PM] Colleague:
> http://hydr0.net/pictures.php?email=email@hotmai
> l.com
>
>I have changed his real alias to "Colleague" and my MSN IM registered
>email address to email (at) hotmail (dot) com [email concealed] for our protection (and yes, its
>different to the one I am using to send this message).
>
>Now, normally, you don't see this kind of message except in spam messages.
>But if you click on that link, it will download and execute an executable
>(on Windows XP SP2, it will ask you about it).
>
>Of course, this is my own trusted colleague who is normally very
>conscientious in keeping viruses and malware out, especially from spam email.
>
>When you let it execute, it installs two files into the C:\Program
>Files\999 directory.
>
>It then executes one of these executables and sends this message to
>EVERYONE on your MSN IM contact list that is NOT offline.
>
>The message is the same as above but the email address is the same one as
>the recipient's email address. For example, the program will send a
>message to Colleague2 who has a registered MSN IM email address is
>"email2 (at) hotmail (dot) com [email concealed]". This message to her (from you) will look like this;
>
>[05:29:29 PM] Colleague2: its you!
>[05:29:30 PM] Colleague2:
> http://hydr0.net/pictures.php?email2=email@hotmai
> l.com
>
>So this epidemic spreads.
>
>The motive? I can only think that the owner of http://hydr0.net is
>collecting email addresses. He or she is using MSN Messenger to
>proliferate this executable to catch users offguard, while collecting more
>email addresses as this message spreads.
>
>The website is still active and there must be a registered domain owner so
>I would be interested to hear if anyone can dig further. ;-)
>
>BTW - I think I have cleaned it out by deleting the C:\Program Files\999
>directory and its files.
>
>Look forward to hear some feedback on whether this is an already
>identified malware or not and where I can find more information on it
>(like its name), if it has already been identified.
>
>
>Cheers,
>
>Michael.
[ reply ]