Two readers sent us notes about some malware circulating on MSN Messenger.
Seems like every 15 minutes someone else on my MSN buddy list sends me a message with:
"Hot or Not? hxxp://mymsngallery.my.funpic firstname.lastname@example.org"
"this really looks like you hxxp://mymsngallery.my.funpic email@example.com"
Where firstname.lastname@example.org is my email adddress. Pulling up the page returns a 876032 byte file that appears to be an executable.
As of this writing the above site is still live and distributing executable.
Running the malware through VirusTotal give these results.
A second submission came in a few hours after the first one:
We’ve had a handful of hosts that have been infected via a Trojan that arrives over MSN. While we don’t have specifics it would appear as though the message is similar to “Here’s a funny pic of you...”. The link is on the funpic.de domain, we don’t have the full hostname, but understand the site is a photo sharing site in Germany. The file downloaded is PIC006.JPG-www.photoshare.com. On the one system our student technicians had access to it also appeared that malware opened a connection to 18.104.22.168:2007.
We had a similar outbreak a few weeks ago with our faculty/staff, but the payload was not the .com file, but rather an “a.bat” and an .exe (I couldn’t find the name off-hand). While we blocked outbound traffic to the funpic.de domain, we didn’t do it on all interfaces — so again now our students are infected with something similar that should have been prevented. Lesson learned: Once you block, test, test, and test! By the way, Symantec threw a generic Trojan warning on our earlier outbreak and would quarantine the files, but not this one (.com).
If you see any variations on this please let us know via the contact form.
Marcus H. Sachs
Director, SANS Internet Storm Center