Fake Windows Live Malware Spreads via Email | Malware Blog

February 2012
S	M	T	W	T	F	S
« Jan
	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29

Sep28

Fake Windows Live Malware Spreads via Email

6:00 am (UTC-7) | by Joey Costoya (Senior Threat Researcher)

Trend Micro threat analysts recently snagged an email pushing a bogus Windows Live Messenger residing in http://{BLOCKED}s-live-msn.serveftp.com/Windows_Live_9.0_beta.exe (detected as WORM_VB.PAB). The .EXE file is, of course, not the “real” Windows Live Messenger but a bot that reports to an IRC-based C&C with the following details about the infected system:

Server: {BLOCKED}s.rvsanmiguel.com
Server IP: {BLOCKED}.{BLOCKED}.110.141
Port: 6767
Serverkey: m4s3rvp4ssz
Channel: #s3k4nt
Chankey: m4n0sp4z

Click for larger view

Figure 1. Sample spam email

The said bot’s primary function seems to be MSN spamming. As of this writing, the C&C channel is currently idle, as it has not yet issued commands. Apart from MSN spamming, the said bot was also designed to spread via USB autorun and P2P networks like Kazaa and Limewire.

Windows Live Messenger users should thus refrain from clicking the malicious URL spreading via email to avoid infection. Trend Micro Smart Protection Network already blocks the malicious URL and detects the fake Windows Live Messenger as WORM_VB.PAB.

Share this article

This entry was posted on Monday, September 28th, 2009 at 6:00 am and is filed under Malware, Security, Spam . Both comments and pings are currently closed.

TrendLabs Malware Blog

Trend Micro

One-click Billing Fraud

Mobile

Recent Posts

Calendar

8 Responses to “Fake Windows Live Malware Spreads via Email”

Trackbacks