New Worm Spreads Via MSN Messenger

← Back to Stories (view on slashdot.org)

New Worm Spreads Via MSN Messenger

Posted by CowboyNeal on Thursday January 1, 2004 @09:29PM from the new-year-new-problems dept.

vxone writes "Anti-virus experts are watching a new worm that spreads through Microsoft Corp.'s MSN Messenger client. The worm is not harmful to infected machines and has infected only a few PCs at this point, according to an analysis by Trend Micro Inc. Known as Jitux, the worm is self-propagating and contains a link to a Web site that automatically downloads an executable file named 'jituxramon.exe' to the PC. Once the file runs, the worm begins sending out copies of itself to all of the names in the user's Messenger contact list."

11 of 380 comments (clear)

Min score:

Reason:

Sort:

Helpful little program by Raul654 · 2004-01-01 21:34 · Score: 5, Informative

For anyone who has tried to uninstall MSN messanger, you know how much of a bitch it is. I recommend Windows XP antispy to get rid of it.

After all, (simpsonism) "no one who speaks german could be evil (/simpsonism) :)

--

To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
1. Re:Helpful little program by Kris_J · 2004-01-01 21:44 · Score: 4, Informative
  
  Windows XP users should install SP1, then removing MSN Messenger can simply be removed from the Add/Remove Programs control panel.
2. Re:Helpful little program by MacroRex · 2004-01-01 21:47 · Score: 5, Informative
  
  With some help from Google it's no bitch at all.
3. Re:Helpful little program by SilverCanary · 2004-01-01 22:09 · Score: 5, Informative
  
  It's not removed when you do that.
  They simply make the executable a hidden file and remove the shortcut.
  MSN will still work when you start the executable manually after "removing" it.
  (Same goes for Outlook express btw).
4. Re:Helpful little program by ScottSpeaks! · 2004-01-02 00:00 · Score: 4, Informative
  
  I haven't tried it (no such machine to run it on), but XPlite is a utility that should be very good at removing unwanted "features" from WinXP. (There's a Win2K version as well.) This is by the same guy who created 98lite, which removes all traces of IE from Win98 (which MS had said wasn't possible) and replaces it with the file browser from Win95 (and the web browser of your choice). So when he says it "removes" a feature, I'm inclined to believe it really does.
Low risk by Xenna · 2004-01-01 21:39 · Score: 5, Informative

It doesn't seem to be using any particular vulnerabilities in MSN. It depends on users to click on a URL they receive in a message.

Now what responsible user would do that. NAI's web site claims that the worm code itself has been removed from the web server, thus rendering the worm harmless:

http://vil.nai.com/vil/content/v_100931.htm

-- Update 31st December 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.web-user.co.uk/news/47502.html

This detection is for a worm intended to propagate via MSN Messenger instant messaging. The worm is written in Visual Basic.

It propagates by sending messages to the MSN messenger contact list. The messages contain a link to the worm itself:

http://www.home.no/( removed )/jituxramon.exe

When the link is clicked, the worm is downloaded to the target machine.

Note: at the time of writing the the worm was unavailable from this URL.
to remove msn messenger by eonblueye · 2004-01-01 22:30 · Score: 5, Informative

copy and paste into a .bat file

@echo off
echo Removing Microsoft Messenger...
rundll32 advpack.dll,LaunchINFSection %WinDir%\inf\msmsgs.inf,BLC.Remove

echo Disabling it from running in the future...
echo REGEDIT4>%temp%\nomsngr.reg
echo
[HKEY_LOCAL_MAC HINE\SOFTWARE\Policies\Microsoft\Me ssenger\Client]>>%temp%\no
msngr.reg
echo "PreventRun"=dword:00000001>>%temp%\nomsngr.reg
echo "PreventAutoRun"=dword:00000001>>%temp%\nomsngr.re g
echo "PreventAutoUpdate"=dword:00000001>>%temp%\nomsngr .reg
echo "PreventBackgroundDownload"=dword:00000001>>%temp% \nomsngr.reg
echo "Disabled"=dword:00000001>>%temp%\nomsngr.re g
regedit /s %temp%\nomsngr.reg

run and bam! messenger is gone for good :)

--
+++ David Watts 5495 0.0 0.5 1888 884
Re:What about... by Dunkelzahn · 2004-01-01 22:40 · Score: 4, Informative

Many of the newer 'user friendly desktop' Linuces run as root, such as Lindows. While I think this is horribly stupid, it doesn't stop the fact that many neophytes to the Linux world will be running Gaim or equivalent as root.

--
.
Re:solution by NickFitz · 2004-01-01 22:59 · Score: 4, Informative

According to Network Associates "at the time of writing the the worm was unavailable from this URL".

--
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Re:why is MS always the target? by muffen · 2004-01-02 00:10 · Score: 4, Informative

AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...

There are worms for ICQ, AIM and MSN. Yahoo IM is the only one that doesn't have a worm right now.

MSN worms have been around for a while now. This isn't news in any way. The worm relied on a website that is now shut, so the worm is effectively disabled.

If you want to know about IM spreading worms, read this or this
Re:Dont just remove it, DENY its ability to run by MOMOCROME · 2004-01-02 03:26 · Score: 4, Informative

hey, foolio:

that's Windows Messenger you are referring to, a completely different beast than MSN Messenger. Windows Messenger is an old component for sending explorer events to domain clients, for saying things like 'The Network is Going Down. Save Your Work Now." and such to your users. MSN Messenger is for "lol cyber u a/s/l/ here's a link to my plush toy auction on ebay" style messages to your social circle (and random people).