New Worm Spreads Via MSN Messenger

vxone writes "Anti-virus experts are watching a new worm that spreads through Microsoft Corp.'s MSN Messenger client. The worm is not harmful to infected machines and has infected only a few PCs at this point, according to an analysis by Trend Micro Inc. Known as Jitux, the worm is self-propagating and contains a link to a Web site that automatically downloads an executable file named 'jituxramon.exe' to the PC. Once the file runs, the worm begins sending out copies of itself to all of the names in the user's Messenger contact list."

Helpful little program

[Raul654]

For anyone who has tried to uninstall MSN messanger, you know how much of a bitch it is. I recommend Windows XP antispy to get rid of it.

After all, (simpsonism) "no one who speaks german could be evil (/simpsonism) :)

Re:Helpful little program

[Kris_J]

Windows XP users should install SP1, then removing MSN Messenger can simply be removed from the Add/Remove Programs control panel.

Re:Helpful little program

[MacroRex]

With some help from Google it's no bitch at all.

Re:Helpful little program

[SilverCanary]

It's not removed when you do that.
They simply make the executable a hidden file and remove the shortcut.
MSN will still work when you start the executable manually after "removing" it.
(Same goes for Outlook express btw).

Re:Helpful little program

[ScottSpeaks!]

I haven't tried it (no such machine to run it on), but XPlite is a utility that should be very good at removing unwanted "features" from WinXP. (There's a Win2K version as well.) This is by the same guy who created 98lite, which removes all traces of IE from Win98 (which MS had said wasn't possible) and replaces it with the file browser from Win95 (and the web browser of your choice). So when he says it "removes" a feature, I'm inclined to believe it really does.

Re:Helpful little program

[Genom]

Did this to me too - very strange. At first I thought a worm or something might have snuck through (trying to deliver *something* via Messenger), but Norton comes up empty on the virus/worm front, and Adaware/SpyBot didn't find anything out of the ordinary.

So, I nipped the problem by renaming msnmsgs.exe. Now whatever Windows *thinks* needs Messenger won't be able to start it. Don't get any errors about it either. Since I don't actually *use* Messenger for anything, this has pretty much solved my problem.

Re:Helpful little program

[Chanc_Gorkon]

And what your talking about is NOT MSN messenger. It's Windows Messenger. Some point, around the time XP was developed and released, some idiot at Microsoft thought it might be a good idea to create Windows Messenger. No I ain't talking about the Windoes Messaging service, but Windows Messenger. Windows Messenger was supposed to be pushed a bit to the corporate side of things. Your supposed to be able to run your own IM server in your company. In any case, there are a ton of websites that tell you how to get rid of Windows Messenger. MSN messenger on the other hand must be installed. It IS different then Windows Messenger even though they both work on the MSN messenger service.

Oh and just to give you an idea of how stupid the article was, you actually have to click on a URL that this messege sends to you and unless you have been living under a rock, you can pretty much eliminate this problem by ignoring IM's from anyone that is not on your list. If most of your list does this, then there's no chance of infection. As most IM users have already discovered, there are enough SPAM IM's that are not harmful out there that you should probably set this up from the beginning. Hence the reason why there's only a handful of infections. This is NOT a hole in MSN Messenger....it's just users being the typical idiots that they are and that's only that handful of idiots that have been infected. Most MSN Messenger users would be unaffected by this.

Low risk

[Xenna]

It doesn't seem to be using any particular vulnerabilities in MSN. It depends on users to click on a URL they receive in a message.

Now what responsible user would do that. NAI's web site claims that the worm code itself has been removed from the web server, thus rendering the worm harmless:

http://vil.nai.com/vil/content/v_100931.htm

-- Update 31st December 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.web-user.co.uk/news/47502.html

This detection is for a worm intended to propagate via MSN Messenger instant messaging. The worm is written in Visual Basic.

It propagates by sending messages to the MSN messenger contact list. The messages contain a link to the worm itself:

http://www.home.no/( removed )/jituxramon.exe

When the link is clicked, the worm is downloaded to the target machine.

Note: at the time of writing the the worm was unavailable from this URL.

If you must use MSN...

[mcbridematt]

If you must use MSN and don't need file transfers, I recommend you register a Jabber account at any Jabber server, and use a MSN gateway, and try to convince your friends to move to Jabber.

I've done it already, and my MSN account is redundant!

to remove msn messenger

[eonblueye]

copy and paste into a .bat file

@echo off
echo Removing Microsoft Messenger...
rundll32 advpack.dll,LaunchINFSection %WinDir%\inf\msmsgs.inf,BLC.Remove

echo Disabling it from running in the future...
echo REGEDIT4>%temp%\nomsngr.reg
echo
[HKEY_LOCAL_MAC HINE\SOFTWARE\Policies\Microsoft\Me ssenger\Client]>>%temp%\no
msngr.reg
echo "PreventRun"=dword:00000001>>%temp%\nomsngr.reg
echo "PreventAutoRun"=dword:00000001>>%temp%\nomsngr.re g
echo "PreventAutoUpdate"=dword:00000001>>%temp%\nomsngr .reg
echo "PreventBackgroundDownload"=dword:00000001>>%temp% \nomsngr.reg
echo "Disabled"=dword:00000001>>%temp%\nomsngr.re g
regedit /s %temp%\nomsngr.reg

run and bam! messenger is gone for good :)

Re:to remove msn messenger

[Jugalator]

Remember to remove those added whitespaces or it won't work. Like "nomsng.re g", "Me ssenger" should have their spaces removed.

Also, remember to clean up afterwards... :-)

del %temp%\nomsngr.reg

Orphaned temporary files will build up your temp directory to *scary music* BILLIONS of bytes if you don't watch it. :-) Actually, I recently cleaned the temp directory of a coworker where Acrobat Reader had mysteriously stopped working. He had over 65,536 files in his temp directory, which made Acrobat Reader not being able to find free temp file names at startup.

Re:to remove msn messenger

Funny, that looks like the "microsoft-recommended" method of disabling messenger, which could also be done through the policy manager. Thing is, when you do it that way, Outlook Express will hang for nearly 2 full minutes before becoming usable, EVERY TIME you start it.

Surprisingly, if you rename the msmsgs.exe file, it *never* *ever* runs, but Outlook Express will start just as swiftly as it always did.

Insert conspiracy theory here.

Re:What about...

[Dunkelzahn]

Many of the newer 'user friendly desktop' Linuces run as root, such as Lindows. While I think this is horribly stupid, it doesn't stop the fact that many neophytes to the Linux world will be running Gaim or equivalent as root.

Re:What about...

[The+Infamous+Grimace]

"...Ah if only application firewalls were standard issue like virus scanners..."

OS X comes with ipfw preinstalled, and it can be turned on with a couple of mouse-clicks:

Apple Menu->System Preferences
Select 'Sharing'
Select 'Firewall' tab
Click 'Start' button

There is also a tab with a list of service that one can check on or off, and it is easy to add new ones (click the 'New...)

Seems that I've read some debate of the merits of ipfw vs. other firewalls, but it seems to work fine for me. Also, there is the debate about whether or not it should be on or off by default. Personally, I think it should be on.

As far as headless apps, like daemons, I don't know. OS X asks for an admin password any time it needs 'root' access; if one makes sure they know what they're installing, and trusts the source, then I don't think anything too bad could happen.

Although, this just occurred to me. Could something like this launch an app in the background that captured keystrokes and saved them to a non-secure file/folder? That could be a problem.

(tig)

Re:solution

[NickFitz]

According to Network Associates "at the time of writing the the worm was unavailable from this URL".

Dont just remove it, DENY its ability to run

[dave1g]

Click here to disallow anyone or programon your computer to use messenger

Works for XP pro only I believe

Re:Dont just remove it, DENY its ability to run

[MOMOCROME]

hey, foolio:

that's Windows Messenger you are referring to, a completely different beast than MSN Messenger. Windows Messenger is an old component for sending explorer events to domain clients, for saying things like 'The Network is Going Down. Save Your Work Now." and such to your users. MSN Messenger is for "lol cyber u a/s/l/ here's a link to my plush toy auction on ebay" style messages to your social circle (and random people).

Re:What about...

[Spoing]

Could you elaborate on this a little? From what little I understand of permissions in *nix, this might prevent data from being written in the wrong spot (i.e. overwriting of system files), but would it prevent a headless app from running and sending out messages to other machines?

Programs execute with the same permissions as the user, though this happening is not very likely. For this to occur, two things have to happen;

1. The execute bit must be set on the file.
2. The program handling the file must run the program or allow it to be run when clicked.

Neither are impossible, though these are unlikely. (Some apps might skip the first step, though this is also rare.)

Keep in mind that unlike Windows, Unix-style systems don't use the name of the file or it's extention (suffix) to determine if a file is an executible. If Windows followed the same model, you could click on worm.exe and Worm would not run automatically.

Re:What about...

[AuMatar]

Well, files by default are not executable, so it wouldn't execute unless you ran chmod on it. Furthermore, ports 0-1023 are privlidged by most unixes, and can't be bound to unless you run as root, stopping things like spam mail servers.

Re:User Intervention Required?

[Film11]

Not if it downloads it using the open command. I presume the download is small so it would not be long until it downloaded and opened itself automatically. By then when the user realised the download was taking place it would be too late. But as people say it's harmless so I'm not worried.

Re:why is MS always the target?

[muffen]

AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...

There are worms for ICQ, AIM and MSN. Yahoo IM is the only one that doesn't have a worm right now.

MSN worms have been around for a while now. This isn't news in any way. The worm relied on a website that is now shut, so the worm is effectively disabled.

If you want to know about IM spreading worms, read this or this

Re:So what does it actually do?

[AndroidCat]

A number of the worms linked to spammers and DDoS attacks on anti-spammer sites have been multi-stage jobs. Once a PC is infected, it either scans for or waits for contact to pull down the next stage. (Sort of like a Wormdows Update feature.)

Almost like REALPHX for AIM

[Sprite+Remix]

There's been this virus thats been screwing people' AOL Instant Messenger profiles, what it would do is create a link to the site and if you were to enter it from someones profile, it would install a worm and infect you profile as well. My system didn't get infected though, I'm guessing it was to due to Internet Explorer since I'm using Mozilla and I've been hearing about how scripts can go off in IE.

I kept getting IM bots sending me links to random porn sites since its 'peak' time when it appeared on almost all my friends' profiles. I found the fix here and sent it to my friends. Since their fix, I've been getting less spam.

I would use gAIM but I found that AIM with the final free DeadAim saves more resources on my system.

Re:ITS A VIRUS!!!

[BenV666]

I totally agree.
For those who don't know how, you can uninstall the thing by running:
RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

Re: firewalls

[The+Infamous+Grimace]

I guess that I tend to want to err on the side of caution. Include a paper flyer with each new computer explaining in detail the firewall, and how to disable it. Or make it part of the first-time set-up. Design it in such a way that the end user has to go out of their way to not read it (can't continue until the page explaining the firewall has been scrolled down to the bottom or some such).

As far as disrupting some functionality, I hear you, but OS X seems to be mostly free from these issues, at least for home-use. I have the firewall up and running on both our Macs (PB G3 300 and iMac DV 400), and share a printer between them with no problems. I can also connect via SSH, FTP, SMB/CIFS, AppleTalk or Remote Desktop with no issues, although I don't keep them all on. The only problem I've encountered are external FTP sites that have problems with passive ftp.

Of course, YMMV.

(tig)