New Windows Live Messenger worm (Feb 25, 2011)


The SonicWALL UTM Research team received reports of a new variant of a Windows Live messenger Worm propagating in the wild. This Worm spreads by presenting various links to users on the MSN contact list of the compromised user. The Worm also downloads FakeAV software upon installation.

An unsuspecting user may receive a message over the MSN Messenger network containing a link to a malicious file:

Upon execution of the downloaded file, the FakeAV software will display the following pop-up:

It will perform a fake scan of the system:

Upon pressing “Yes” the Trojan will pop up a payment page in Internet Explorer for purchasing the FakeAV software:

The worm performs the following DNS queries:


It downloads www.{removed}/bb.exe [Detected as GAV: Buzus.HAPC (Trojan)] and renames the file to 4417934.exe

The following files are dropped on the compromised system:

  • C:Documents and Settings{USER}Application Datamsnsvconfig.txt
  • C:Documents and Settings{USER}Local SettingsTemp4417934.exe [Detected as GAV: Buzus.HAPC (Trojan)]
  • C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe [Detected as GAV: Buzus.HAPC (Trojan)]

Registry modification:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Microsoft(R) Service Update “C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe “C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe:*:Enabled:Microsoft(R) Service Update”

SonicWALL Gateway AntiVirus provides protection against this malware via following signatures:

  • GAV: Buzus.HAPC (Trojan)
  • GAV: IRCBot.DTO_2 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.