Saturday, November 24, 2007

MSN Messenger Trojan

An MSN trojan is infecting thousands of PC’s worldwide via an IRC botnet. The malware is being introduced by MSN Messenger files posing as pictures, mostly seeming to come from known contacts.

So you get a message saying ‘Hey, this is your pic’ or ‘Hey this is your pic on this site’ with a link to a picture rating site. Click on the link and you will find that your computer has been recruited into the botnet!

From e-Week

The Trojan is an IRC bot that’s spreading through MSN Messenger by sending itself in a .zip file with two names. One of the names includes the word “pics” as a double extension executable—a name generally used by scanners and digital cameras: for example, DSC00432.jpg.exe. The Trojan is also contained in a .zip file with the name “images” as a .pif executable—for example, IMG34814.pif.

The files are infiltrating new systems by using either known contacts from which the Trojan has harvested instant messaging names, as well as from the systems of unknown users.

The infection vector—an IM program—isn’t new. But the Trojan is the first that eSafe has tracked that has tried to scan for VNC (Virtual Network Computing) instances, likely in order to multiply the botnet’s number of connections.

Use your common sense when chatting with friends, don’t click on links or open files sent from friends or otherwise unless you are 100% sure that your friend intended to send you the link. They won’t be offended if you decline to click…. !

Here is some good advice from Get Safe Online about using Instant Messaging Safely