[Current] MSN Worm Activity

Peter Kruse pkr at csis.dk
Sun Mar 6 23:36:58 GMT 2005


Hi Matt,

"Patch.exe" is packed with Armadillo and appears to be yet another SDbot
variant. 

All in all, this looks like a new Bropia worm.

Regards
Peter

-----Original Message-----
From: current-bounces at dshield.org [mailto:current-bounces at dshield.org] On
Behalf Of Matt Thompson
Sent: 6. marts 2005 23:45
To: current at dshield.org
Subject: [Current] MSN Worm Activity

Hello, 

I have found some worm activity attempting to propagate through MSN 
messenger. 

Messages are being sent to everyone on the contact list saying "mg this is 
funny! http://jose.rivera4.home.att.net/cute.pif" 

Analysis of cute.pif shows that it is a scrambled UPX compressed PE file.  
After descrambling, analysis shows that it is downloading and executing the 
following URL:   		
http://home.comcast.net/~mdeely/patch.exe 

I ran AVG and ClamAV against patch.exe with no results, and I have not done 
any other analysis yet on patch.exe 

I will post any other information I find. 

Matt Thompson
mthompson at ffd4.com
FFD4 Network Security
http://www.ffd4.com
(613)482-2689 x400 


_______________________________________________
Current mailing list
Current at dshield.org
http://www.dshield.org/mailman/listinfo/current




More information about the Current mailing list