30 January 2008 | 21,379 views

Multilingual Worm Spreads Over MSN Messenger

Cybertroopers storming your ship?

Another MSN worm spreading with the same tactics as usual, “Wanna see my pictures before i send em to facebook?” and so on.

The only really interesting thing about this worm is it sends the message in the language of the locale installed on the infected machine, this is pretty intelligent and is much more likely to work as most of the people on sometimes contact list are probably from the same country or at least use the same language.

The IRCBOT-RB Trojan poses as messages containing links to pictures on social networking sites such as MySpace and Facebook. Typical come-ons involve messages such as “Wanna see my pictures before i send em to facebook?”. Clicking on a link takes users to booby-trapped websites.

Unusually, the polyglot malware changes these messages according to the language of the affected operating system used. Compromised machines are infected by a simple bot agent that leaves the hardware hooked up to a central control server, awaiting instructions.

This would mean it’s much more believable than someone who speaks Portuguese to their friends sending a message in English. As usual please educate people not to blindly follow or click links and definitely don’t accept files sent by friends on MSN/Yahoo! or AIM as they are most likely auto-generated by a trojan.

Do message the person back manually and ask them if they really sent it.

Source: The Register


Recent in Malware:
- DAMM – Differential Analysis of Malware in Memory
- FBI Recommends Crypto Ransomware Victims Just Pay
- Fitbit Vulnerability Means Your Tracker Could Spread Malware

Related Posts:
- New MSN Worm Hitting Users – BlackAngel.B
- Email Worm Spreading Like Wildfire – W32.Imsolk/VBMania Variant
- MessenPass – Recover MSN, Yahoo Messenger, ICQ, Trillian Passwords

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,429 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,540 views
- US considers banning DRM rootkits – Sony BMG - 44,959 views

Low-cost VPS Hosting

14 Responses to “Multilingual Worm Spreads Over MSN Messenger”

  1. Nobody_Holme 30 January 2008 at 4:28 pm Permalink

    I just ignore files as a habit unless we were discussing it just before. safety FTW.

  2. goodpeople 30 January 2008 at 5:11 pm Permalink

    We already established that the bad guys are getting smarter. One more reason not to allow MSN at work…

  3. Pantagruel 30 January 2008 at 10:52 pm Permalink

    The main reason to block/not allow any chat client (icq/msn/aim/skype/whatever) on a production network is just because these chat clients are not secure and time upon time have proven to provide vulnerabilities. At work we block all known chat clients on production machines and have setup an additional number of machines which have no access to the production network and provide chat clients.

  4. goodpeople 31 January 2008 at 12:32 pm Permalink

    Wish It were that easy where I work. My students all bring their own laptop…

  5. eM3rC 7 February 2008 at 8:05 am Permalink

    I find that using a program called meebo (www.meebo.com) works the best for me. This site is basically an in browsing chat program which allows all the chatting and none of the files. If someone wants to send a file I have them email it to me (GMail AV and my own make it very very hard to get infected).

    Shouldn’t MSN implement some kind of handicap for people trying to send out like 10,000 messages in a few minutes?

  6. Pantagruel 7 February 2008 at 3:38 pm Permalink

    It would be nice if MSN indeed would inplement and ‘spam limiting amount you can send’ routine. But I guess they (MS/MSN that is) is quite happy with the ‘active’ virtual social life some people have (or in the case of an MSN spammer seem to be having).

    meebo is a nice one, I have used koolim.com in the past (usually when abroad).

  7. Nobody_Holme 7 February 2008 at 4:07 pm Permalink

    Meh. if you’re competent with computers, theres no need to move to another piece of software, because you can always just /block people.

  8. Pantagruel 7 February 2008 at 6:45 pm Permalink


    Blocking a MSN user is only possible in retrospect. Usually the spammers will use and discard the used MSN/AIM/whatever chat client account. But than again, I hardly get more than 1 spam message a month trying to convince me either to get some pills for enlargement or some money scheme and they go straight to the bin.

  9. eM3rC 8 February 2008 at 3:38 am Permalink

    I like AIMs system where you can only send a certain # of messages within an allotted amount of time and you need recharge time before you can send large amounts of messages.

    Its like saying “you can always hang up on telemarketers or delete the spam”. It would be nice if it was gone.

  10. J. Lion 12 February 2008 at 1:10 am Permalink

    Ignoring the link or file transfer is always the best option if the person is already in your buddy list.

    However informing your buddy that he/she has an infected machine often bring a lot of grief and then despair.

  11. eM3rC 12 February 2008 at 1:56 am Permalink

    @J Lion
    I think its easy to just ignore the spam or block the people sending out the spam but I think something should be done about regulating messages or increasing awareness for IM infections.

  12. rrk 28 March 2008 at 11:16 am Permalink

    the virus is messaging my contacts with a nickname i had used last year even when my pc is swithced off!! wtf do i do?

  13. zupakomputer 28 March 2008 at 3:59 pm Permalink

    rrk: is the modem still plugged in or active (if it’s wireless) when the PC is powered off?
    Are you sure it’s the same trojan?, it might be something else that’s phished your details and is messaging people from another machine – if you can see where it is installed (on your pc) then remove it & delete it….I’m not sure if this is some kind of rootkit; if it is then you might need to do a bit more than just deleting it cause it would have some means to reinstall itself.

    Goodpeople: doesn’t the network block any unauthorised client additions – or if they’re going on by wireless then use MAC filters as well as any encryption keys. I wish my college had more students that could afford laptops, including me,….it’d be a nicer place if it wasn’t such a chav-ridden nightmare. Not that everyone with money is ok, some are just spoiled by their parents, but I think overall it’d be better to up the class somewhat.

  14. fever 8 April 2008 at 7:57 pm Permalink

    took some work to put this together, just wish builders would redirect attention to constructive things. don’t waste your skills on the bad, focus on the good.