Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New IM Worms Hit MSN Messenger
TechWeb News ^ | March 07, 2005 | Gregg Keizer

Posted on 03/07/2005 3:27:17 PM PST by RebelTex

New worms spreading through MSN Messenger -- and its bundled-with-Windows Windows Messenger version -- via links to a malicious site are infecting users and leaving their PCs open to hacker hijack, security vendors reported Monday. The new worms, tagged as Kelvir.a and Kelvir.b, appeared over the weekend and on Monday, respectively, anti-virus vendors said. Both use the same mechanism to attract users and infect Windows-based PCs: they include a link in the instant message. That link, in turn, downloads a malicious file -- the actual worm, a variant of the long-running Spybot -- which opens a backdoor to the compromised machine.

Kelvir spreads by sending itself to all the MSN/Windows Messenger contacts on the infected PC, and poses as cryptic messages such as "lol! see it! u'll like it!" and "omg this is funny!" The link opens a .pif-formatted file.

.pif files are also often a format-of-choice for mass-mailed worms.

Also on Monday, another worm -- dubbed Sumon.a by U.K.-based Sophos -- was discovered spreading via MSN/Windows Messenger. Sumon, which propagates over peer-to-peer file-sharing networks as well, is much more aggressive. It disables a long list of security software, tries to overwrite the HOSTS file so commonly-accessed security Web sites can't be reached, and picks from a large number of links, including "Fat Elvis! lol!" and "Crazy frog gets killed by train!" to entice downloads.

(Excerpt) Read more at techweb.com ...


TOPICS: News/Current Events; Technical
KEYWORDS: computersecurity; email; exploit; hack; hacker; instantmessenger; internetexploiter; lookoutexpress; lowqualitycrap; messenger; microsoft; securityflaw; virus; windows; worm
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-76 last
To: Flyer

He clicked on the link!

Then I told him.."But I told you NOT to click on links!"

LOL


61 posted on 03/08/2005 6:00:49 AM PST by Paloma_55
[ Post Reply | Private Reply | To 13 | View Replies]

To: Bush2000

Wow.


62 posted on 03/08/2005 6:06:49 AM PST by Petronski (Zebras: Free Range Bar Codes of the Serengeti)
[ Post Reply | Private Reply | To 55 | View Replies]

To: Bush2000
You're like some kind of freakin' answer-bot.

You're projecting again.

63 posted on 03/08/2005 6:16:57 AM PST by Petronski (Zebras: Free Range Bar Codes of the Serengeti)
[ Post Reply | Private Reply | To 53 | View Replies]

To: Petronski
You're projecting again.

LMFAO! Yeah, it must be my imagination. HAL9000 isn't really showing up on all of these PC threads and coaxing people to switch to his Macs... and, quite possibly, monkeys might fly out of your butt... /SARCASM
64 posted on 03/08/2005 11:41:35 AM PST by Bush2000
[ Post Reply | Private Reply | To 63 | View Replies]

To: RebelTex
I don't know anything about Trillian - sorry.

Here is the link to Trillian.

65 posted on 03/08/2005 4:55:11 PM PST by Jackknife (No man is entitled to the blessings of freedom unless he be vigilant in its preservation.-MacArthur)
[ Post Reply | Private Reply | To 40 | View Replies]

To: jakkknife

Thanks for the link.

Trillian looks very interesting, lots of neat stuff and capabilities.

I couldn't find any technical info on their website, (brief scan), but will check it out later when I have more time. From what I could see, the API is probably built on the core msMessenger service, so it may be vulberable to the same exploits. I will check it out further and may use it. As I said in an earlier post, I don't IM much - just to my daughter (she's always got 3 or 4 IM windows open, lol). If it's good and also secure, I'll recommend it to her.


66 posted on 03/08/2005 9:41:23 PM PST by RebelTex (Freedom is everyone's right - and everyone's responsibility!)
[ Post Reply | Private Reply | To 65 | View Replies]

To: backhoe
LOL !
It sounds as if each of you met your perfect match. What more could one ask?
67 posted on 03/08/2005 10:16:55 PM PST by Eagle9
[ Post Reply | Private Reply | To 52 | View Replies]

To: Eagle9
LOL ! It sounds as if each of you met your perfect match. What more could one ask?

I've been very fortunate with wives... my first, before cancer times two, and a stroke carried her off, was "the woman I was born to be with"-- I used to call her "my female self." The first time I met her, and heard her speak, I knew we were destined to be together... forever, or so I thought, but fate had other plans. Seven good years. Then, eternal silence.

The first time I laid eyes on wife number two
( and I can't recall the name of the show, but years ago there was a TV show with Jackie Cooper playing a Sultan with many wives, who made a big point of noting that "#1 Wife-- Ha! that's the littlest Number!" )
in the local bank, the first thought that popped into my head was "gee, I sure like her face." Later, mutual friends in the business community introduced us more formally. We've been married twenty years. And amusingly enough, until the last election, she was a Democrat... um, but bear in mind, of the Zell Miller, Scoop Jackson, dying breed type. Discussions of politics have always been "interesting" instead of acrimonious. I used to make a point of noting, "you know, you are a lot more Conservative than you think you are..."

Ironically, in all the years we've been married, she never cared enough about politics to bother voting... until Kerry came along, and scared her so badly that she registered to vote for President Bush.

68 posted on 03/09/2005 1:50:48 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 67 | View Replies]

To: backhoe
I've been very fortunate with wives...

You're a very fortunate man indeed. Never having been married, I envy you ...

69 posted on 03/09/2005 11:59:50 PM PST by Eagle9
[ Post Reply | Private Reply | To 68 | View Replies]

To: meadsjn
Download and run Shoot the Messenger from Gibson Research Corporation.

That's completely different from this issue, although they do share the same name.

GRC's StM closes port 135, which is the Windows Messenger Service port, used by application programmers to give users status messages, but used by spammers to put pop-up window advertisements on your screen.

This thread discusses a vulnerability in MSN's Instant Messgenger program, for real-time, peer to peer "chatting."

Mark

70 posted on 03/10/2005 12:15:28 AM PST by MarkL (That which does not kill me, has made the last mistake it will ever make!)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Eagle9
You're a very fortunate man indeed. Never having been married, I envy you ...

Well, I would be the first to point out that a bad marriage is a far worse situation than never having been married. There is a certain amount of dumb luck involved in finding a mate, and a fair amount of dumb luck required to keep a marriage together as well.

Although, it is like many other aspects of living- you have to put something into it in order to get anything back.

Like the old story of the man and the cold stove-- "you give me some heat; I'll feed you some wood..."-- in real life, it doesn't work quite like that. A fair amount of thought and effort are required to stoke a relationship.

However, in the somewhat unlikely event that I survive Mrs. B, I might be inclined to swear off women and stick with a good dog.

71 posted on 03/10/2005 4:01:43 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 69 | View Replies]

To: RebelTex

I get an execution pop up at boot time that reads: "New messenger update available, do you want to update yes/no?"

Anyone know how I can disable that?


72 posted on 03/10/2005 4:05:14 AM PST by Rebelbase (Who is General Chat?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: MarkL
Thanks. This article has some good info too.

http://www.technicalinfo.net/papers/IMSecurity.html

{...}

Security Recommendations:
Many organisations think that they can block IM traffic at their firewalls by simply blocking the native IM port. However, the most popular IM applications are ‘port-agile’, should their native port be closed, are capable of locating other open ports and tunnelling their traffic over a different port instead. Unless organisations are prepared to shut off all user access to the Internet, it is very difficult to prevent IM usage.

Consider the three most popular IM clients:

MSN Messenger – Users must login to the centralised service to locate other users. Once a connection is established, users message each other directly in peer-to-peer fashion. The default IP port for MSN Messenger is 1863 but the client is ‘port-agile’ and, if the port is blocked, it will look for other open ports – next targeting the HTTP port 80. MSN Messenger supports HTTP proxies, but does not support HTTP proxy authentication. Note that file transfers occur over TCP port 6891, audio and video conferencing over UDP ports 13324 and 13325, and application sharing is commonly TCP port 1503.

Yahoo Instant Messenger – Users login to the centralised Yahoo IM service to find other users. Once authenticated and online, users may choose to message each other directly or through shared chat rooms. The default port for Yahoo Instant Messenger is 5050 but the client is ‘port-agile’ and, if the port is blocked, it will look for other open ports – next targeting the HTTP port 80. Just like MSN Messenger, the client supports HTTP proxies, but not HTTP Proxy authentication. Note that file transfers and file sharing is commonly done over TCP port 4443.

AOL Instant Messenger (AIM) – Users login in to the AOL Open System for Communication in Real-time (OSCAR) and then begin communications with Basic OSCAR Services (BOS) to locate and message other users. These messages pass through the server before being forwarded to the recipient. File transfers, voice traffic and other large digital payloads are conducted in peer-to-peer mode – whereby the initiating IM client sends its IP address and an open port over the service, so the remote client can connect to it. The default port for the AIM client is 5190 and, if the port is blocked, the ‘port-agile’ software will attempt to communicate over port 23 (telnet), 20 & 21 (FTP) and then 80 (HTTP). In addition, users can choose to go through a SOCKS v4/v5, a HTTP proxy or HTTPS proxy. However, when tunnelling over the HTTPS proxy connection, AIM does not use SSL to encrypt traffic.

Some third-party solutions offer the ability to:

Define specific services – allowing organisations to restrict users and activities to specific IM protocols. Block specific features – allowing organisations to select which IM functionality is available (e.g. peer-to-peer file transfers, allow/deny access to chat room access etc.) Log IM access and communication – enabling organisations to record all message traffic and link back to a specific user. Block by categories – providing an ability to manage usage by specific user, group, site and time of day. Depending upon the role of instant messaging within the organisation, the process of securing an organisation against the proliferation of unauthorised IM clients and traffic is not easily accomplished, and must be tackled through multiple layers of security, education and policy. As indicated above, blocking native ports of IM clients is not enough. Businesses must evaluate whether they require IM functionality within their organisation and incorporate appropriate security countermeasures.

{...}

73 posted on 03/10/2005 9:14:26 AM PST by meadsjn
[ Post Reply | Private Reply | To 70 | View Replies]

To: Rebelbase
"New messenger update available, do you want to update yes/no?"  Anyone know how I can disable that?

That would depend on which Messenger service to which the popup refers.   Possible solutions:

  1. Go ahead and let it update.  Then disable or turn off the Messenger service.
  2. Open the specific Messenger service and find options or settings or preferences, then disable automatic updates.
  3. Uninstall the Messenger service (can't if it's Windows Messenger - but you can disable it - see the link below).

How to prevent Windows Messenger from running on a Windows XP-based computer

Good Luck.
RT

74 posted on 03/10/2005 8:09:11 PM PST by RebelTex (Freedom is everyone's right - and everyone's responsibility!)
[ Post Reply | Private Reply | To 72 | View Replies]

To: RebelTex

I got that message that you spoke of and stupid me I hit yes. well it seemed to go after a lot of my games and such had to reload them to work. Could there be more unhappiness waiting for me?


75 posted on 03/10/2005 8:15:42 PM PST by Empireoftheatom48 (God bless our troops!! Our President and those who fight against the awful commie, liberal left!!)
[ Post Reply | Private Reply | To 74 | View Replies]

To: Empireoftheatom48
"Could there be more unhappiness waiting for me?'

Only about a 98% chance - sorry.

Scan your system with your anti-virus program, delete any infected files found, then update the anti-virus program and repeat.

Then visit the website for the anti-virus program you have, or go to http://securityresponse.symantec.com/ and look up the worms mentioned in the article:  Kelvir.a   and   Kelvir.b   and    Sumon.a    and    Bropia  (link describes this older worm - real nasty)

Here's the free Bropia removal tool from Symantec. 

And the removal instructions from Symantec for:  W32.Kelvir.E  kelvir.a  and  Kelvir.B  Couldn't find any for Sumon.a

The removal instructions all seem to have the same procedures, so once through should catch the above 3 worms.

You also might want to check out the IM Threat Center - this website has a list of IM threats and good info.

Good Luck,
RT

76 posted on 03/10/2005 9:35:26 PM PST by RebelTex (Freedom is everyone's right - and everyone's responsibility!)
[ Post Reply | Private Reply | To 75 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-76 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson