[Current] MSN Worm Activity

Matt Thompson mthompson at ffd4.com
Sun Mar 6 22:45:29 GMT 2005


Hello, 

I have found some worm activity attempting to propagate through MSN 
messenger. 

Messages are being sent to everyone on the contact list saying "mg this is 
funny! http://jose.rivera4.home.att.net/cute.pif" 

Analysis of cute.pif shows that it is a scrambled UPX compressed PE file.  
After descrambling, analysis shows that it is downloading and executing the 
following URL:   		
http://home.comcast.net/~mdeely/patch.exe 

I ran AVG and ClamAV against patch.exe with no results, and I have not done 
any other analysis yet on patch.exe 

I will post any other information I find. 

Matt Thompson
mthompson at ffd4.com
FFD4 Network Security
http://www.ffd4.com
(613)482-2689 x400 




More information about the Current mailing list