[Current] MSN Worm Activity

Peter Kruse pkr at csis.dk
Sun Mar 6 23:36:58 GMT 2005

Hi Matt,

"Patch.exe" is packed with Armadillo and appears to be yet another SDbot

All in all, this looks like a new Bropia worm.


-----Original Message-----
From: current-bounces at dshield.org [mailto:current-bounces at dshield.org] On
Behalf Of Matt Thompson
Sent: 6. marts 2005 23:45
To: current at dshield.org
Subject: [Current] MSN Worm Activity


I have found some worm activity attempting to propagate through MSN 

Messages are being sent to everyone on the contact list saying "mg this is 
funny! http://jose.rivera4.home.att.net/cute.pif" 

Analysis of cute.pif shows that it is a scrambled UPX compressed PE file.  
After descrambling, analysis shows that it is downloading and executing the 
following URL:   		

I ran AVG and ClamAV against patch.exe with no results, and I have not done 
any other analysis yet on patch.exe 

I will post any other information I find. 

Matt Thompson
mthompson at ffd4.com
FFD4 Network Security
(613)482-2689 x400 

Current mailing list
Current at dshield.org

More information about the Current mailing list