Posted on 03/07/2005 3:27:17 PM PST by RebelTex
New worms spreading through MSN Messenger -- and its bundled-with-Windows Windows Messenger version -- via links to a malicious site are infecting users and leaving their PCs open to hacker hijack, security vendors reported Monday. The new worms, tagged as Kelvir.a and Kelvir.b, appeared over the weekend and on Monday, respectively, anti-virus vendors said. Both use the same mechanism to attract users and infect Windows-based PCs: they include a link in the instant message. That link, in turn, downloads a malicious file -- the actual worm, a variant of the long-running Spybot -- which opens a backdoor to the compromised machine.
Kelvir spreads by sending itself to all the MSN/Windows Messenger contacts on the infected PC, and poses as cryptic messages such as "lol! see it! u'll like it!" and "omg this is funny!" The link opens a .pif-formatted file.
.pif files are also often a format-of-choice for mass-mailed worms.
Also on Monday, another worm -- dubbed Sumon.a by U.K.-based Sophos -- was discovered spreading via MSN/Windows Messenger. Sumon, which propagates over peer-to-peer file-sharing networks as well, is much more aggressive. It disables a long list of security software, tries to overwrite the HOSTS file so commonly-accessed security Web sites can't be reached, and picks from a large number of links, including "Fat Elvis! lol!" and "Crazy frog gets killed by train!" to entice downloads.
(Excerpt) Read more at techweb.com ...
He clicked on the link!
Then I told him.."But I told you NOT to click on links!"
LOL
Wow.
You're projecting again.
Thanks for the link.
Trillian looks very interesting, lots of neat stuff and capabilities.
I couldn't find any technical info on their website, (brief scan), but will check it out later when I have more time. From what I could see, the API is probably built on the core msMessenger service, so it may be vulberable to the same exploits. I will check it out further and may use it. As I said in an earlier post, I don't IM much - just to my daughter (she's always got 3 or 4 IM windows open, lol). If it's good and also secure, I'll recommend it to her.
I've been very fortunate with wives... my first, before cancer times two, and a stroke carried her off, was "the woman I was born to be with"-- I used to call her "my female self." The first time I met her, and heard her speak, I knew we were destined to be together... forever, or so I thought, but fate had other plans. Seven good years. Then, eternal silence.
The first time I laid eyes on wife number two
( and I can't recall the name of the show, but years ago there was a TV show with Jackie Cooper playing a Sultan with many wives, who made a big point of noting that "#1 Wife-- Ha! that's the littlest Number!" )
in the local bank, the first thought that popped into my head was "gee, I sure like her face." Later, mutual friends in the business community introduced us more formally. We've been married twenty years. And amusingly enough, until the last election, she was a Democrat... um, but bear in mind, of the Zell Miller, Scoop Jackson, dying breed type. Discussions of politics have always been "interesting" instead of acrimonious. I used to make a point of noting, "you know, you are a lot more Conservative than you think you are..."
Ironically, in all the years we've been married, she never cared enough about politics to bother voting... until Kerry came along, and scared her so badly that she registered to vote for President Bush.
You're a very fortunate man indeed. Never having been married, I envy you ...
That's completely different from this issue, although they do share the same name.
GRC's StM closes port 135, which is the Windows Messenger Service port, used by application programmers to give users status messages, but used by spammers to put pop-up window advertisements on your screen.
This thread discusses a vulnerability in MSN's Instant Messgenger program, for real-time, peer to peer "chatting."
Mark
Well, I would be the first to point out that a bad marriage is a far worse situation than never having been married. There is a certain amount of dumb luck involved in finding a mate, and a fair amount of dumb luck required to keep a marriage together as well.
Although, it is like many other aspects of living- you have to put something into it in order to get anything back.
Like the old story of the man and the cold stove-- "you give me some heat; I'll feed you some wood..."-- in real life, it doesn't work quite like that. A fair amount of thought and effort are required to stoke a relationship.
However, in the somewhat unlikely event that I survive Mrs. B, I might be inclined to swear off women and stick with a good dog.
I get an execution pop up at boot time that reads: "New messenger update available, do you want to update yes/no?"
Anyone know how I can disable that?
http://www.technicalinfo.net/papers/IMSecurity.html
{...}
Security Recommendations:
Many organisations think that they can block IM traffic at their firewalls by simply blocking the native IM port. However, the most popular IM applications are ‘port-agile’, should their native port be closed, are capable of locating other open ports and tunnelling their traffic over a different port instead. Unless organisations are prepared to shut off all user access to the Internet, it is very difficult to prevent IM usage.
Consider the three most popular IM clients:
MSN Messenger – Users must login to the centralised service to locate other users. Once a connection is established, users message each other directly in peer-to-peer fashion. The default IP port for MSN Messenger is 1863 but the client is ‘port-agile’ and, if the port is blocked, it will look for other open ports – next targeting the HTTP port 80. MSN Messenger supports HTTP proxies, but does not support HTTP proxy authentication. Note that file transfers occur over TCP port 6891, audio and video conferencing over UDP ports 13324 and 13325, and application sharing is commonly TCP port 1503.
Yahoo Instant Messenger – Users login to the centralised Yahoo IM service to find other users. Once authenticated and online, users may choose to message each other directly or through shared chat rooms. The default port for Yahoo Instant Messenger is 5050 but the client is ‘port-agile’ and, if the port is blocked, it will look for other open ports – next targeting the HTTP port 80. Just like MSN Messenger, the client supports HTTP proxies, but not HTTP Proxy authentication. Note that file transfers and file sharing is commonly done over TCP port 4443.
AOL Instant Messenger (AIM) – Users login in to the AOL Open System for Communication in Real-time (OSCAR) and then begin communications with Basic OSCAR Services (BOS) to locate and message other users. These messages pass through the server before being forwarded to the recipient. File transfers, voice traffic and other large digital payloads are conducted in peer-to-peer mode – whereby the initiating IM client sends its IP address and an open port over the service, so the remote client can connect to it. The default port for the AIM client is 5190 and, if the port is blocked, the ‘port-agile’ software will attempt to communicate over port 23 (telnet), 20 & 21 (FTP) and then 80 (HTTP). In addition, users can choose to go through a SOCKS v4/v5, a HTTP proxy or HTTPS proxy. However, when tunnelling over the HTTPS proxy connection, AIM does not use SSL to encrypt traffic.
Some third-party solutions offer the ability to:
Define specific services – allowing organisations to restrict users and activities to specific IM protocols. Block specific features – allowing organisations to select which IM functionality is available (e.g. peer-to-peer file transfers, allow/deny access to chat room access etc.) Log IM access and communication – enabling organisations to record all message traffic and link back to a specific user. Block by categories – providing an ability to manage usage by specific user, group, site and time of day. Depending upon the role of instant messaging within the organisation, the process of securing an organisation against the proliferation of unauthorised IM clients and traffic is not easily accomplished, and must be tackled through multiple layers of security, education and policy. As indicated above, blocking native ports of IM clients is not enough. Businesses must evaluate whether they require IM functionality within their organisation and incorporate appropriate security countermeasures.
{...}
That would depend on which Messenger service to which the popup refers. Possible solutions:
How to prevent Windows Messenger from running on a Windows XP-based computer
Good Luck.
RT
I got that message that you spoke of and stupid me I hit yes. well it seemed to go after a lot of my games and such had to reload them to work. Could there be more unhappiness waiting for me?
Only about a 98% chance - sorry.
Scan your system with your anti-virus program, delete any infected files found, then update the anti-virus program and repeat.
Then visit the website for the anti-virus program you have, or go to http://securityresponse.symantec.com/ and look up the worms mentioned in the article: Kelvir.a and Kelvir.b and Sumon.a and Bropia (link describes this older worm - real nasty)
Here's the free Bropia removal tool from Symantec.
And the removal instructions from Symantec for: W32.Kelvir.E kelvir.a and Kelvir.B Couldn't find any for Sumon.a
The removal instructions all seem to have the same procedures, so once through should catch the above 3 worms.
You also might want to check out the IM Threat Center - this website has a list of IM threats and good info.
Good Luck,
RT
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.