flat assembler
Message board for the users of flat assembler.

Index > Heap > MSN worms

Author
Thread Post new topic Reply to topic
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Lots of friends are infected with a MSN worm that keeps sending itself to me. I think they're very effective at spreading because so people are infected.
Do you know how they work? I'm just curious about this. Is this a security flaw from MSN or what?
Post 21 Jan 2008, 00:10
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
no, when u execute a file, it search ur added numbers and send itself from you.
Post 21 Jan 2008, 01:08
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Yes, But I wanted to know HOW it sends itself throught MSN. What API does it use or what secutirity flaw is it exploiting.
Post 21 Jan 2008, 01:57
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
is this worm a nokiaxxx type? like :
here are my last pics of this holidays, look at this...?

if it is, this is a file that take root in windows folder and execute each time you run windows, it's very dangerous because it is a worm, it can be fixed with simples antivirs like the free avira antivir.

msn is full of security lack. the first one is that all your conversation through msn are recorded somewhere and sold to business companies.

since i know that, i don't install it, and try some freeware/gpl IM clients..
about GPL opensource clients, do you know a good non-jabber based one? i don't want to install GTK on my machine.
Post 21 Jan 2008, 02:17
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Maybe injecting itself into MSN messenger in the same way (probably more simple) MSN Plus does.

The next time you recieve it download and reverse it if you can.
Post 21 Jan 2008, 02:42
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Loco: I already downloaded it. It comes in a zip (I think it zips itself). I'm getting it all the time (3 friends infected).
It doesn't send link. It sends the zip file itself with a .com file inside.

And sends a message like this:
"are you there? tell me what you think of this. I Made it in photoshop. do you think its too green?"

I have it here. But I think it's very well protected (packed). Anyone wants to help me reverse it?
It would be good learning for everybody. Maybe a contest for reversing this thing and making a removal tool. Very Happy
Not all AV's detect it now. It must have strong encryption. By the time I looked, only KAV detected it.
Post 21 Jan 2008, 03:27
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
upload this file plz
Post 21 Jan 2008, 03:51
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
No, don't do it, use private means (e-mail, MSN, whatever) instead.
Post 21 Jan 2008, 04:14
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
I don't know if I can upload it here. vid, Loco, anyone knows if it is against the rules?
Post 21 Jan 2008, 04:14
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
why uploading files wuld be agnist rules, lol.
Post 21 Jan 2008, 05:01
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2141
Location: Estonia
Madis731
@edfed:
Quote:

if it is, this is a file that take root in windows folder and execute each time you run windows

Not necessarily. With MSN these viruses are not very harmful because you'll have to 1) download it, 2) have no suspicion about the file, 3) extract the archive and 4) execute it. Usually no-one does all these.
With e-mail messages they actually use faults and stuff to get in unnoticed and then start to behave as they want. MSN in this way is really secure. Though, I don't use it Very Happy

And how is it dangerous, when it can be easily fixed? ^o)

I don't understand what you mean here either:
Quote:

msn is full of security lack. the first one is that all your conversation through msn are recorded somewhere and sold to business companies.
since i know that, i don't install it, and try some freeware/gpl IM clients..

First of all recording is not a security lack! It is THEIR security. This feature allows off-line messages.
How does a free MSN client help? The messages still go through their servers and still can be recorded & sold or whatever!
Quote:

about GPL opensource clients, do you know a good non-jabber based one? i don't want to install GTK on my machine.

How is GTK related to Jabber? Miranda-IM didn't install anything. Its just download and run. Jabber is just another protocol it can use besides MSN, IRC, Yahoo!, GTalk, AIM...

What does jabber-based mean?
Post 21 Jan 2008, 06:31
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
asmrox wrote:
why uploading files wuld be agnist rules, lol.


Because it's a malicious binary. The board can't take any responsibility for people getting infected.
I post this topic only for the top reversers to help me understand this thing and maybe I can create a removal tool to share with my friends. Very Happy
Post 21 Jan 2008, 15:56
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
I just got another MSN Worm. This time it's not packed and written in VB.

Do you know any free VB decompiler?

I downloaded a trial one. It seems the file is a downloader, that downloads another program and executes, judging by the APIs it uses:
Quote:

'VA: 403390
Private Declare Sub InternetCloseHandle Lib "wininet.dll"()
'VA: 40334C
Private Declare Sub InternetReadFile Lib "wininet.dll"()
'VA: 403308
Private Declare Sub InternetOpenA Lib "wininet.dll"()
'VA: 4032C8
Private Declare Sub InternetOpenUrlA Lib "wininet.dll"()
'VA: 402F10
Private Declare Function ShowWindow Lib "user32" Alias "ShowWindow" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
'VA: 402EBC
Private Declare Sub FindWindowA Lib "user32"()
'VA: 402E70
Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
'VA: 402E30
Private Declare Function GetWindowTextLength Lib "user32" Alias "GetWindowTextLengthA" (ByVal hwnd As Long) As Long
'VA: 402DE8
Private Declare Function GetParent Lib "user32" Alias "GetParent" (ByVal hwnd As Long) As Long
'VA: 402DAC
Private Declare Function GetWindowPlacement Lib "user32" Alias "GetWindowPlacement" (ByVal hwnd As Long, lpwndpl As WINDOWPLACEMENT) As Long
'VA: 402D58
Private Declare Sub SHGetPathFromIDListA Lib "shell32.dll"()
'VA: 402D1C
Private Declare Sub SHGetSpecialFolderLocation Lib "shell32.dll"()
'VA: 402BE8
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long ' Note that if you the lpData parameter as String, you must pass it By Value.
'VA: 402BA4
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long ' Note that if you the lpData parameter as String, you must pass it By Value.
'VA: 402B48
Private Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
'VA: 402B0C
Private Declare Function RegDeleteValue Lib "advapi32.dll" Alias "RegDeleteValueA" (ByVal hKey As Long, ByVal lpValueName As String) As Long
'VA: 402ACC
Private Declare Function RegDeleteKey Lib "advapi32.dll" Alias "RegDeleteKeyA" (ByVal hKey As Long, ByVal lpSubKey As String) As Long
'VA: 402A8C
Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
'VA: 402A4C
Private Declare Function RegCloseKey Lib "advapi32.dll" Alias "RegCloseKey" (ByVal hKey As Long) As Long


Malware decompiling/disassembling is fun! Very Happy

If you want the link to the worm I can send you a PM. It sends this link to MSN contacts.
Reading AV reports it seems it downloads a another executable that is able to steal bank information when person access the bank's site. Very dangerous one! Shocked
I submited the sample to AVIRA Antivir.
Post 15 Feb 2008, 21:14
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
I haven't seen any MSN worm that actually exploits flaws in MSN, they've all been of the type that you either have to run manually, or that opens an URL and actually exploits through IE security holes.

Not saying that there aren't any exploits in MSN (I don't know), just that I haven't seen any exploited.

But people are fucktardedly dumb lemmings, and will click just about anything.
Post 16 Feb 2008, 00:40
View user's profile Send private message Visit poster's website Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
MSN is a worm.
Post 16 Feb 2008, 00:49
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
edfed wrote:
MSN is a worm.
You can do better than that, silly boy. At least it's a lesser evil than ICQ.

_________________
Image - carpe noctem
Post 16 Feb 2008, 01:06
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.