Multilingual Worm Spreads Over MSN Messenger

Another MSN worm spreading with the same tactics as usual, “Wanna see my pictures before i send em to facebook?” and so on.

The only really interesting thing about this worm is it sends the message in the language of the locale installed on the infected machine, this is pretty intelligent and is much more likely to work as most of the people on sometimes contact list are probably from the same country or at least use the same language.

The IRCBOT-RB Trojan poses as messages containing links to pictures on social networking sites such as MySpace and Facebook. Typical come-ons involve messages such as “Wanna see my pictures before i send em to facebook?”. Clicking on a link takes users to booby-trapped websites.

Unusually, the polyglot malware changes these messages according to the language of the affected operating system used. Compromised machines are infected by a simple bot agent that leaves the hardware hooked up to a central control server, awaiting instructions.

This would mean it’s much more believable than someone who speaks Portuguese to their friends sending a message in English. As usual please educate people not to blindly follow or click links and definitely don’t accept files sent by friends on MSN/Yahoo! or AIM as they are most likely auto-generated by a trojan.

Do message the person back manually and ask them if they really sent it.

Source: The Register

Posted in: Malware, Social Engineering

, , , , ,

Latest Posts:

dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.

14 Responses to Multilingual Worm Spreads Over MSN Messenger

  1. Nobody_Holme January 30, 2008 at 4:28 pm #

    I just ignore files as a habit unless we were discussing it just before. safety FTW.

  2. goodpeople January 30, 2008 at 5:11 pm #

    We already established that the bad guys are getting smarter. One more reason not to allow MSN at work…

  3. Pantagruel January 30, 2008 at 10:52 pm #

    The main reason to block/not allow any chat client (icq/msn/aim/skype/whatever) on a production network is just because these chat clients are not secure and time upon time have proven to provide vulnerabilities. At work we block all known chat clients on production machines and have setup an additional number of machines which have no access to the production network and provide chat clients.

  4. goodpeople January 31, 2008 at 12:32 pm #

    Wish It were that easy where I work. My students all bring their own laptop…

  5. eM3rC February 7, 2008 at 8:05 am #

    I find that using a program called meebo ( works the best for me. This site is basically an in browsing chat program which allows all the chatting and none of the files. If someone wants to send a file I have them email it to me (GMail AV and my own make it very very hard to get infected).

    Shouldn’t MSN implement some kind of handicap for people trying to send out like 10,000 messages in a few minutes?

  6. Pantagruel February 7, 2008 at 3:38 pm #

    It would be nice if MSN indeed would inplement and ‘spam limiting amount you can send’ routine. But I guess they (MS/MSN that is) is quite happy with the ‘active’ virtual social life some people have (or in the case of an MSN spammer seem to be having).

    meebo is a nice one, I have used in the past (usually when abroad).

  7. Nobody_Holme February 7, 2008 at 4:07 pm #

    Meh. if you’re competent with computers, theres no need to move to another piece of software, because you can always just /block people.

  8. Pantagruel February 7, 2008 at 6:45 pm #


    Blocking a MSN user is only possible in retrospect. Usually the spammers will use and discard the used MSN/AIM/whatever chat client account. But than again, I hardly get more than 1 spam message a month trying to convince me either to get some pills for enlargement or some money scheme and they go straight to the bin.

  9. eM3rC February 8, 2008 at 3:38 am #

    I like AIMs system where you can only send a certain # of messages within an allotted amount of time and you need recharge time before you can send large amounts of messages.

    Its like saying “you can always hang up on telemarketers or delete the spam”. It would be nice if it was gone.

  10. J. Lion February 12, 2008 at 1:10 am #

    Ignoring the link or file transfer is always the best option if the person is already in your buddy list.

    However informing your buddy that he/she has an infected machine often bring a lot of grief and then despair.

  11. eM3rC February 12, 2008 at 1:56 am #

    @J Lion
    I think its easy to just ignore the spam or block the people sending out the spam but I think something should be done about regulating messages or increasing awareness for IM infections.

  12. rrk March 28, 2008 at 11:16 am #

    the virus is messaging my contacts with a nickname i had used last year even when my pc is swithced off!! wtf do i do?

  13. zupakomputer March 28, 2008 at 3:59 pm #

    rrk: is the modem still plugged in or active (if it’s wireless) when the PC is powered off?
    Are you sure it’s the same trojan?, it might be something else that’s phished your details and is messaging people from another machine – if you can see where it is installed (on your pc) then remove it & delete it….I’m not sure if this is some kind of rootkit; if it is then you might need to do a bit more than just deleting it cause it would have some means to reinstall itself.

    Goodpeople: doesn’t the network block any unauthorised client additions – or if they’re going on by wireless then use MAC filters as well as any encryption keys. I wish my college had more students that could afford laptops, including me,….it’d be a nicer place if it wasn’t such a chav-ridden nightmare. Not that everyone with money is ok, some are just spoiled by their parents, but I think overall it’d be better to up the class somewhat.

  14. fever April 8, 2008 at 7:57 pm #

    took some work to put this together, just wish builders would redirect attention to constructive things. don’t waste your skills on the bad, focus on the good.