Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    6:00 am (UTC-7)   |    by

    Trend Micro threat analysts recently snagged an email pushing a bogus Windows Live Messenger residing in http://{BLOCKED} (detected as WORM_VB.PAB). The .EXE file is, of course, not the “real” Windows Live Messenger but a bot that reports to an IRC-based C&C with the following details about the infected system:

    Server: {BLOCKED}
    Server IP: {BLOCKED}.{BLOCKED}.110.141
    Port: 6767
    Serverkey: m4s3rvp4ssz
    Channel: #s3k4nt
    Chankey: m4n0sp4z

    Click for larger view

    Figure 1. Sample spam email

    The said bot’s primary function seems to be MSN spamming. As of this writing, the C&C channel is currently idle, as it has not yet issued commands. Apart from MSN spamming, the said bot was also designed to spread via USB autorun and P2P networks like Kazaa and Limewire.

    Windows Live Messenger users should thus refrain from clicking the malicious URL spreading via email to avoid infection. Trend Micro Smart Protection Network already blocks the malicious URL and detects the fake Windows Live Messenger as WORM_VB.PAB.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice