Multilingual Worm Spreads Over MSN Messenger

Another MSN worm spreading with the same tactics as usual, “Wanna see my pictures before i send em to facebook?” and so on.

The only really interesting thing about this worm is it sends the message in the language of the locale installed on the infected machine, this is pretty intelligent and is much more likely to work as most of the people on sometimes contact list are probably from the same country or at least use the same language.

The IRCBOT-RB Trojan poses as messages containing links to pictures on social networking sites such as MySpace and Facebook. Typical come-ons involve messages such as “Wanna see my pictures before i send em to facebook?”. Clicking on a link takes users to booby-trapped websites.

Unusually, the polyglot malware changes these messages according to the language of the affected operating system used. Compromised machines are infected by a simple bot agent that leaves the hardware hooked up to a central control server, awaiting instructions.

This would mean it’s much more believable than someone who speaks Portuguese to their friends sending a message in English. As usual please educate people not to blindly follow or click links and definitely don’t accept files sent by friends on MSN/Yahoo! or AIM as they are most likely auto-generated by a trojan.

Do message the person back manually and ask them if they really sent it.

Source: The Register

Posted in: Malware, Social Engineering

, , , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

14 Responses to Multilingual Worm Spreads Over MSN Messenger

  1. Nobody_Holme January 30, 2008 at 4:28 pm #

    I just ignore files as a habit unless we were discussing it just before. safety FTW.

  2. goodpeople January 30, 2008 at 5:11 pm #

    We already established that the bad guys are getting smarter. One more reason not to allow MSN at work…

  3. Pantagruel January 30, 2008 at 10:52 pm #

    The main reason to block/not allow any chat client (icq/msn/aim/skype/whatever) on a production network is just because these chat clients are not secure and time upon time have proven to provide vulnerabilities. At work we block all known chat clients on production machines and have setup an additional number of machines which have no access to the production network and provide chat clients.

  4. goodpeople January 31, 2008 at 12:32 pm #

    Wish It were that easy where I work. My students all bring their own laptop…

  5. eM3rC February 7, 2008 at 8:05 am #

    I find that using a program called meebo ( works the best for me. This site is basically an in browsing chat program which allows all the chatting and none of the files. If someone wants to send a file I have them email it to me (GMail AV and my own make it very very hard to get infected).

    Shouldn’t MSN implement some kind of handicap for people trying to send out like 10,000 messages in a few minutes?

  6. Pantagruel February 7, 2008 at 3:38 pm #

    It would be nice if MSN indeed would inplement and ‘spam limiting amount you can send’ routine. But I guess they (MS/MSN that is) is quite happy with the ‘active’ virtual social life some people have (or in the case of an MSN spammer seem to be having).

    meebo is a nice one, I have used in the past (usually when abroad).

  7. Nobody_Holme February 7, 2008 at 4:07 pm #

    Meh. if you’re competent with computers, theres no need to move to another piece of software, because you can always just /block people.

  8. Pantagruel February 7, 2008 at 6:45 pm #


    Blocking a MSN user is only possible in retrospect. Usually the spammers will use and discard the used MSN/AIM/whatever chat client account. But than again, I hardly get more than 1 spam message a month trying to convince me either to get some pills for enlargement or some money scheme and they go straight to the bin.

  9. eM3rC February 8, 2008 at 3:38 am #

    I like AIMs system where you can only send a certain # of messages within an allotted amount of time and you need recharge time before you can send large amounts of messages.

    Its like saying “you can always hang up on telemarketers or delete the spam”. It would be nice if it was gone.

  10. J. Lion February 12, 2008 at 1:10 am #

    Ignoring the link or file transfer is always the best option if the person is already in your buddy list.

    However informing your buddy that he/she has an infected machine often bring a lot of grief and then despair.

  11. eM3rC February 12, 2008 at 1:56 am #

    @J Lion
    I think its easy to just ignore the spam or block the people sending out the spam but I think something should be done about regulating messages or increasing awareness for IM infections.

  12. rrk March 28, 2008 at 11:16 am #

    the virus is messaging my contacts with a nickname i had used last year even when my pc is swithced off!! wtf do i do?

  13. zupakomputer March 28, 2008 at 3:59 pm #

    rrk: is the modem still plugged in or active (if it’s wireless) when the PC is powered off?
    Are you sure it’s the same trojan?, it might be something else that’s phished your details and is messaging people from another machine – if you can see where it is installed (on your pc) then remove it & delete it….I’m not sure if this is some kind of rootkit; if it is then you might need to do a bit more than just deleting it cause it would have some means to reinstall itself.

    Goodpeople: doesn’t the network block any unauthorised client additions – or if they’re going on by wireless then use MAC filters as well as any encryption keys. I wish my college had more students that could afford laptops, including me,….it’d be a nicer place if it wasn’t such a chav-ridden nightmare. Not that everyone with money is ok, some are just spoiled by their parents, but I think overall it’d be better to up the class somewhat.

  14. fever April 8, 2008 at 7:57 pm #

    took some work to put this together, just wish builders would redirect attention to constructive things. don’t waste your skills on the bad, focus on the good.