[Current] MSN Worm Activity
Peter Kruse
pkr at csis.dk
Sun Mar 6 23:36:58 GMT 2005
Hi Matt,
"Patch.exe" is packed with Armadillo and appears to be yet another SDbot
variant.
All in all, this looks like a new Bropia worm.
Regards
Peter
-----Original Message-----
From: current-bounces at dshield.org [mailto:current-bounces at dshield.org] On
Behalf Of Matt Thompson
Sent: 6. marts 2005 23:45
To: current at dshield.org
Subject: [Current] MSN Worm Activity
Hello,
I have found some worm activity attempting to propagate through MSN
messenger.
Messages are being sent to everyone on the contact list saying "mg this is
funny! http://jose.rivera4.home.att.net/cute.pif"
Analysis of cute.pif shows that it is a scrambled UPX compressed PE file.
After descrambling, analysis shows that it is downloading and executing the
following URL:
http://home.comcast.net/~mdeely/patch.exe
I ran AVG and ClamAV against patch.exe with no results, and I have not done
any other analysis yet on patch.exe
I will post any other information I find.
Matt Thompson
mthompson at ffd4.com
FFD4 Network Security
http://www.ffd4.com
(613)482-2689 x400
_______________________________________________
Current mailing list
Current at dshield.org
http://www.dshield.org/mailman/listinfo/current
More information about the Current
mailing list