Img807.zip or MsnPoopy
Yesterday I was receiving some innocuous looking file transfer requests from my friends in MSN Messenger. File was Img807.zip with message likeDid you take this picture?
is that you on the left?
How drunk was I in this picture?
Is that your mom in this picture?
lol, your mom just sent me this picture?
Zip contains a file img807.jpg-www.photoalbums.com which seems like a url. This was actually a worm!
I have written a small removal tool. You can get it here.
It seems to be a variant of worm MsnPoopy.A.
Quick analysis shows that.
1. It creates a batch file c:\a.bat (deleted later) to execute the worm.
2. Stops “Security Center” and any running VNC servers (net1 stop winvnc4)
3. Creates two files c:\windows\vpcrtf.exe and c:\windows\img807.zip. The original .com file and the vpcrtf.exe is same files (MD5 7299c5d5d5761779dfedfbd3808c8ed8)
4. Modifies IE Security Zonemaps and resets IE BypassProxy to enabled. (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap)
5. Creates a startup entry named “Microsoft Visual Application” at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
6. Creates connection to 85.114.143.159 (chat2.ms.com). Excerpt of the TCP stream shows it is creating a chat session to that server with a random name.
Text like this was found inside the exe.
[DDoS]: Flooding %s:%s with %s for %s seconds
[DDoS]: Done with flood (%iKB/sec).
Commands used in chat server are
PASS %s
NICK %s
USER %s * 0 :%s
Leaving
QUIT %s
QUIT
JOIN
PART
QUIT
NOTICE
PRIVMSG
NICK
PING
PONG %s
NOTICE %s :%s
PRIVMSG %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
MODE %s %s
MODE %s %s %s
An instance of communication to chat2.ms.com
PASS letmein
NICK drcdetbkfr
USER drcdetbkfr * 0 :XXXXX
:chat2.ms.com NOTICE AUTH :*** Looking up your hostname...
:chat2.ms.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:chat2.ms.com NOTICE drcdetbkfr :*** If you are having problems connecting due to ping timeouts, please type /quote pong E7514D5C or /raw pong E7514D5C now.
PING :E7514D5C
PONG E7514D5C
:chat2.ms.com 001 drcdetbkfr
:chat2.ms.com 002 drcdetbkfr : M0dded by uNkn0wn Crew
:chat2.ms.com 003 drcdetbkfr
:chat2.ms.com 004 drcdetbkfr : www.uNkn0wn.eu - iD@uNkn0wn.eu
:chat2.ms.com 005 drcdetbkfr
:chat2.ms.com 005 drcdetbkfr
:chat2.ms.com 005 drcdetbkfr
:chat2.ms.com 422 drcdetbkfr :MOTD File is missing
:drcdetbkfr MODE drcdetbkfr :+iwxG
MODE drcdetbkfr -ix
JOIN ##L## torrent
MODE drcdetbkfr -ix
JOIN ##L## torrent
MODE drcdetbkfr -ix
JOIN ##L## torrent
MODE drcdetbkfr -ix
JOIN ##L## torrent
:drcdetbkfr!drcdetbkfr@18BA964C.E3E058E5.86DFE602.IP JOIN :##l##
:chat2.ms.com 332 drcdetbkfr ##l## :.msnstop|.msnstart
:chat2.ms.com 333 drcdetbkfr ##l## C 1186984256
:jmixkwtc!jmixkwtc@adsl-pool-222.123.92-138.tttmaxnet.com JOIN :##l##
:xfjgadoe!nawcggrq@222.111.240.15 JOIN :##l##
:toltsnwg!toltsnwg@0wn3d-5CBFC5F9.adsl.totbb.net QUIT :Ping timeout
PRIVMSG ##l## :MSN Spread Has Been Deactivated.
:xgdpzrej!xgdpzrej@0wn3d-B63C2A2.hinet-ip.hinet.net QUIT :Connection reset by peer
:lfysnvlf!lfysnvlf@0wn3d-B63C2A2.hinet-ip.hinet.net QUIT :Connection reset by peer
:chat2.ms.com 404 drcdetbkfr ##l## :You must have a registered nick (+r) to talk on this channel (##l##)
:kqeocoup!kqeocoup@0wn3d-E41BFE89.tttmaxnet.com JOIN :##l##
:lyoiwhnz!lyoiwhnz@0wn3d-6F3B1EB.revip2.asianet.co.th JOIN :##l##
:kulbdupj!kulbdupj@aworklan024095.netvigator.com QUIT :Connection reset by peer
:cfpmzenv!cfpmzenv@A634004F.F5AADB4E.2BA61D.IP QUIT :Ping timeout
PRIVMSG ##l## :MSN worm sent to: 0 contacts
:koopoxxg!koopoxxg@59.44.43.155 JOIN :##l##
:ztuxqkph!ztuxqkph@0wn3d-B63C2A2.hinet-ip.hinet.net QUIT :Connection reset by peer
PRIVMSG ##l## :MSN Spread Has Been Activated.
:chat2.ms.com 404 drcdetbkfr ##l## :You must have a registered nick (+r) to talk on this channel (##l##)
:chat2.ms.com 404 drcdetbkfr ##l## :You must have a registered nick (+r) to talk on this channel (##l##)
:zmqtlvgt!zmqtlvgt@B1CADB.3F468E44.D7B2BA0C.IP JOIN :##l##
:ldsjwlel!ldsjwlel@0wn3d-5269B4BC.totbb.net JOIN :##l##
Removal tool simply kills vpcrtf.exe ,remove two files windows\vpcrt.exe and windows\img807.zip and the registry startup entry.
Labels: Img807.zip MsnPoopy vpcrtf virus
posted by GNUlihd @ 2:57 AM 10 comments
