[Current] MSN Worm Activity
pkr at csis.dk
Sun Mar 6 23:36:58 GMT 2005
"Patch.exe" is packed with Armadillo and appears to be yet another SDbot
All in all, this looks like a new Bropia worm.
From: current-bounces at dshield.org [mailto:current-bounces at dshield.org] On
Behalf Of Matt Thompson
Sent: 6. marts 2005 23:45
To: current at dshield.org
Subject: [Current] MSN Worm Activity
I have found some worm activity attempting to propagate through MSN
Messages are being sent to everyone on the contact list saying "mg this is
Analysis of cute.pif shows that it is a scrambled UPX compressed PE file.
After descrambling, analysis shows that it is downloading and executing the
I ran AVG and ClamAV against patch.exe with no results, and I have not done
any other analysis yet on patch.exe
I will post any other information I find.
mthompson at ffd4.com
FFD4 Network Security
Current mailing list
Current at dshield.org
More information about the Current