Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Instant Messenger Virus Sweeps Net

Posted by ryuzaki0 on from the RISKs-of-homogeneous-computing dept.

Many people have reported a Warhol virus affecting users of Microsoft Instant Messenger. If you get messaged, "Go To http://www.masenko-media.net/cool.html NoW !!!", or any similar message (apparently there are several websites with the infection code), I suggest not following the link. A brief discussion follows.

Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.

There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.

Sophistication: moderate. Damage: only your pride.

Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.

Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?

2 of 400 comments (clear)

  1. Re:what's the url? by Schmerd · · Score: 0, Redundant

    Are you serious? A URL is an address, not necessarily something you can click on. /. left off the HREF on purpose so that people wouldn't blindly click and get burned by the malicious code.

  2. It's really an IE virus by _fuzz_ · · Score: 1, Redundant
    The MSN Messenger protocol has nothing in it that would allow the retrieval of contacts, etc. (I've implemented a Java library that speaks msn messenger: MSNj (shameless plug)). The protocol isn't any more or less secure than HTTP.

    The virus probably just gets the COM object that their messenger implements through javascript. The security hole is that IE lets a web page talk to the messenger client. I would guess that it does that so you can add contacts by clicking on web links and stuff like that.

    --
    47% of all statistics are made up on the spot.