Security News

New MSN messenger worm – Agent.LVB (Nov 25, 2009)

By

SonicWALL UTM Research team observed a new MSN messenger Worm in the wild spreading by sending malicious URLs to the online Instant Messenger contacts on the victim machine.

The IM messages looks like this:

screenshot

If the target user clicks on the link it will download a copy of the MSN messenger worm. The executable file is a Microsoft Cabinet Self-Extractor file and it looks like:

screenshot

Upon execution, the MSN messenger worm performs following activities:

  • Drops malicious executable files on the victim machine:
    • (Temp)IXP000.TMPbots.exe [Detected as GAV: Agent.LVB_2 (Trojan)]
    • (WINDOWS)bakajok.exe.exe [Detected as GAV: Agent.LVB_2 (Trojan)]

  • Creates a registry entry HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunJava Update: “bakajok.exe.exe” to ensure that the dropped copy of the malware starts on every system reboot.

  • It opens up a dialog box:

    screenshot

  • It connects to a malicious IRC server hosted at bub.th3k(REMOVED)net on TCP port 27034 and waits for C&C commands. A memory dump of the Worm shows the strings related to the IRC bot component:

    screenshot

  • The worm detects any security tool and will stop execution. It will come back on next restart due to autostart registry entry.

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.LVB (Worm) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Exploits for CVE-2015-2331 spotted in the Wild (Oct 02, 2015)
Wannacry copycat rampant on Android ecosystem
Microsoft Visual Studio RCE Vulnerability
Microsoft Elevation of Privilege Vulnerability MS14-068 (November 18, 2014)
Oracle Java CVE-2013-2465 attacks spotted in the wild (Nov 1, 2013)
Exploit for PDF vulnerability CVE-2018-4990 exists in the wild
Cybersecurity News & Trends - 05-07-20
Hackers are actively trying to exploit vulnerable Microsoft Exchange Servers