New Windows Live Messenger worm (Feb 25, 2011)

The SonicWALL UTM Research team received reports of a new variant of a Windows Live messenger Worm propagating in the wild. This Worm spreads by presenting various links to users on the MSN contact list of the compromised user. The Worm also downloads FakeAV software upon installation.

An unsuspecting user may receive a message over the MSN Messenger network containing a link to a malicious file:

Upon execution of the downloaded file, the FakeAV software will display the following pop-up:

It will perform a fake scan of the system:

Upon pressing "Yes" the Trojan will pop up a payment page in Internet Explorer for purchasing the FakeAV software:

The worm performs the following DNS queries:

• www.startacademy.be
• host5500.net

It downloads www.{removed}/bb.exe and renames the file to 4417934.exe

The following files are dropped on the compromised system:

• C:Documents and Settings{USER}Application Datamsnsvconfig.txt
• C:Documents and Settings{USER}Local SettingsTemp4417934.exe
• C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe

Registry modification:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Microsoft(R) Service Update "C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe"
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe "C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe:*:Enabled:Microsoft(R) Service Update"

SonicWALL Gateway AntiVirus provides protection against this malware via following signatures:

• GAV: Buzus.HAPC (Trojan)
• GAV: IRCBot.DTO_2 (Trojan)