NEWS FROM THE LAB - Tuesday, September 26, 2006

MSN Worm Used to Download Adware Programs Posted by Elda @ 05:53 GMT

We have received reports from customers of suspicious pop-ups that were being spammed through MSN Messenger. Below is a sample message:

Licat.C Example

When the link in the message is clicked, it automatically downloads a file named photo942.PIF. This file is the backdoor component of Licat.C. This is used to connect to go.cheap[Removed].info and go.links4[Removed].biz

These websites contains a malicious IP address. Access to this address will again download other malware and adware from www.uglyphotos.net/[Removed] and execute it on the infected machine.

One of the downloaded files is responsible for the pop-up messages that are being spammed via MSN Messenger. It arrives on the system with the filename sprT.exe. This file is also detected as IM-Worm.Win32.Licat.c.

Licat.C also attempts to replace the original MSN Messenger application client, msnmsgr.exe, with its own copy. The original Messenger file is renamed and is started by the copy. Deleting the Licat.C copy and renaming the original file, msgs.exe, may repair the installation of Messenger.

The other downloaded files are adware related. One is a trojan that drops a variant of PurityScan adware onto the system - detected as Trojan-Dropper.Win32.PurityScan.ag. The other is a Softomate adware installer - detected as Softomate toolbar.

Nowadays, instant messenger worms are being used to install adware programs. Be suspicious of unsolicited links in your IM client. Below is an illustration of the process:


Updated to add: Adjustments have been made to this post regarding msnmsgr.exe. Please see the Licat.C description for additional details.