MSN Messenger Trojan

Published: 2008-02-09
Last Updated: 2008-02-09 11:24:09 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Two readers sent us notes about some malware circulating on MSN Messenger.

First note:

Seems like every 15 minutes someone else on my MSN buddy list sends me a message with:

 "Hot or Not? hxxp:// de/viewimage.php?" 


 "this really looks like you hxxp:// de/viewimage.php?"

Where is my email adddress.  Pulling up the page returns a 876032 byte file that appears to be an executable.

As of this writing the above site is still live and distributing executable.

Running the malware through VirusTotal give these results.

A second submission came in a few hours after the first one:

We’ve had a handful of hosts that have been infected via a Trojan that arrives over MSN.  While we don’t have specifics it would appear as though the message is similar to “Here’s a funny pic of you...”.  The link is on the domain, we don’t have the full hostname, but understand the site is a photo sharing site in Germany.  The file downloaded is  On the one system our student technicians had access to it also appeared that malware opened a connection to

We had a similar outbreak a few weeks ago with our faculty/staff, but the payload was not the .com file, but rather an “a.bat” and an .exe (I couldn’t find the name off-hand).  While we blocked outbound traffic to the domain, we didn’t do it on all interfaces — so again now our students are infected with something similar that should have been prevented.  Lesson learned:  Once you block, test, test, and test!  By the way, Symantec threw a generic Trojan warning on our earlier outbreak and would quarantine the files, but not this one (.com).

If you see any variations on this please let us know via the contact form.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)


Diary Archives