New MSN messenger worm – Agent.LVB (Nov 25, 2009)


SonicWALL UTM Research team observed a new MSN messenger Worm in the wild spreading by sending malicious URLs to the online Instant Messenger contacts on the victim machine.

The IM messages looks like this:


If the target user clicks on the link it will download a copy of the MSN messenger worm. The executable file is a Microsoft Cabinet Self-Extractor file and it looks like:


Upon execution, the MSN messenger worm performs following activities:

  • Drops malicious executable files on the victim machine:
    • (Temp)IXP000.TMPbots.exe [Detected as GAV: Agent.LVB_2 (Trojan)]
    • (WINDOWS)bakajok.exe.exe [Detected as GAV: Agent.LVB_2 (Trojan)]
  • Creates a registry entry HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunJava Update: “bakajok.exe.exe” to ensure that the dropped copy of the malware starts on every system reboot.
  • It opens up a dialog box:


  • It connects to a malicious IRC server hosted at bub.th3k(REMOVED)net on TCP port 27034 and waits for C&C commands. A memory dump of the Worm shows the strings related to the IRC bot component:


  • The worm detects any security tool and will stop execution. It will come back on next restart due to autostart registry entry.

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.LVB (Worm) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.