Another MSN IM-worm is making the rounds, in an effort to create yet another IRC-based botnet. Almost all of the activity that we are seeing is coming from our user community in Italy, Spain, Argentina and Peru.
A message will arrive, asking “Is this your photo?”, and will either carry with it an attachment that appears to be “134453_9198.JPG-WWW.MYSPACE.zip” and within it “134453_9198[1].JPG-WWW.MYSPACE.COM” or “134453_9198.JPG-WWW.YOUTUBE.COM”,
“134453_9198.JPG-WWW.MSNSPACES.COM” and
“IMAGE_134453.JPG-WWW.MYSPACE.COM”.
The file may be delivered via a link in the message as well. When executed, the file copies itself to temp as taksmgr.exe and the windows directory as wksvcsc.exe or
winudpmgr.exe and attempts to send itself to everyone in your MSN address book. Variants have attempted to phone home to m.bihsecurity.com over IRC and other channels. The activity is recorded in this ThreatExpert report.
VirusTotal results help explain why this one is spreading:
| File image_134453_9198.jpg-www.myspace received on 06.04.2008 18:16:28 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2008.5.30.1 | 2008.06.04 | - |
| AntiVir | 7.8.0.26 | 2008.06.04 | Worm/IrcBot.43803 |
| Authentium | 5.1.0.4 | 2008.06.04 | - |
| Avast | 4.8.1195.0 | 2008.06.04 | - |
| AVG | 7.5.0.516 | 2008.06.04 | - |
| BitDefender | 7.2 | 2008.06.04 | - |
| CAT-QuickHeal | 9.50 | 2008.06.04 | Backdoor.IRCBot.dip |
| ClamAV | 0.92.1 | 2008.06.04 | Trojan.IRCBot-2456 |
| DrWeb | 4.44.0.09170 | 2008.06.04 | - |
| eSafe | 7.0.15.0 | 2008.06.04 | - |
| eTrust-Vet | 31.6.5847 | 2008.06.04 | - |
| Ewido | 4.0 | 2008.06.04 | - |
| F-Prot | 4.4.4.56 | 2008.06.02 | - |
| F-Secure | 6.70.13260.0 | 2008.06.04 | Backdoor.Win32.IRCBot.dip |
| Fortinet | 3.14.0.0 | 2008.06.04 | - |
| GData | 2.0.7306.1023 | 2008.06.04 | Backdoor.Win32.IRCBot.dip |
| Ikarus | T3.1.1.26.0 | 2008.06.04 | Backdoor.Win32.IRCBot.dip |
| Kaspersky | 7.0.0.125 | 2008.06.04 | Backdoor.Win32.IRCBot.dip |
| McAfee | 5309 | 2008.06.03 | - |
| Microsoft | 1.3604 | 2008.06.04 | - |
| NOD32v2 | 3158 | 2008.06.04 | Win32/IRCBot.AGQ |
| Norman | 5.80.02 | 2008.06.04 | - |
| Panda | 9.0.0.4 | 2008.06.04 | Suspicious file |
| Prevx1 | V2 | 2008.06.04 | Worm |
| Rising | 20.47.22.00 | 2008.06.04 | - |
| Sophos | 4.30.0 | 2008.06.04 | Mal/Generic-A |
| Sunbelt | 3.0.1144.1 | 2008.06.04 | - |
| Symantec | 10 | 2008.06.04 | - |
| TheHacker | 6.2.92.333 | 2008.06.03 | - |
| VBA32 | 3.12.6.7 | 2008.06.03 | - |
| VirusBuster | 4.3.26:9 | 2008.06.03 | - |
| Webwasher-Gateway | 6.6.2 | 2008.06.04 | Worm.IrcBot.43803 |
| Additional information | |||
| File size: 43803 bytes | |||
| MD5…: 7029a5feddc61e7da347b80c0fa3cc48 | |||
| SHA1..: 431d7e328245dfd493fce228901c97af2912f7b2 | |||
| SHA256: 7a35c959f1c7026115fa41253a782a36909a12a9301ec5d9453c25e238f304cc | |||
| SHA512: c29a762a71e28842fd65e2fc798ad79ba4c25ccaa21d57f1e0ac7c708fc107a6 0f99c528d16d79eb8ab085cb26472d8a892aa4c79e35dd25e01d3cd388b403de |
|||
| PEiD..: - | |||
We saw this same sort of IM-worm activity in December.
Update — It’s now June 24th. Some of the other vendors’ research teams have had the time to get a little more certain on this worm. Maybe just a nudge would help… 
