[Plug-security] OT: Found: MSN Messenger Trojan/Forgery
Gontran
plug-security@lists.PLUG.phoenix.az.us
Wed, 8 Aug 2001 12:40:10 -0700
Sorry for the offtopic post -- it's not linux related.
This morning my wife was prompted to download a new version of MSN
messenger in the usual fashion that msn messenger updates are propagated,
via the messenger itself with a popup window -- only it was in Greek font.
Of course my wife figured, yet another update from MS and did so probably
for a security patch -- look there's Greek font! Only this time (different
than usual) the installer requested a reboot. This is completely unusual
with respect to msn messenger upgrades, so my wife waved the read
flag.
So this morning I've been in Quincy mode, I've tracked down the files that
the initial installer modified and inserted in preparation for a reboot, as
well as the binary installer itself. Due to run after a reboot.
Basically, it appears as if it will replace msnmessenger and some related
dll files -- I suspect in order to dual broadcast messages? Specifically
via an 'wininit.inf' file.
After reading some interesting deconstructions on CRII on incidents.org last
night, I'm a little hot to notify someone and or determine from where this
bugger has come or will report via reverse engineering or the like. Cat-ing
the binary through 'strings' produces some interesting stuff, but no IP
numbers.
Ultimately, I don't have the time to play with this too much, but am interested
in notifying persons such as yourselves and your clients.
Any hints, suggestions, requests for evidence or more information are welcome.
Best regards and good luck,
Gontran