[Current] MSN Worm Activity
Matt Thompson
mthompson at ffd4.com
Sun Mar 6 22:45:29 GMT 2005
Hello,
I have found some worm activity attempting to propagate through MSN
messenger.
Messages are being sent to everyone on the contact list saying "mg this is
funny! http://jose.rivera4.home.att.net/cute.pif"
Analysis of cute.pif shows that it is a scrambled UPX compressed PE file.
After descrambling, analysis shows that it is downloading and executing the
following URL:
http://home.comcast.net/~mdeely/patch.exe
I ran AVG and ClamAV against patch.exe with no results, and I have not done
any other analysis yet on patch.exe
I will post any other information I find.
Matt Thompson
mthompson at ffd4.com
FFD4 Network Security
http://www.ffd4.com
(613)482-2689 x400
More information about the Current
mailing list