New Worm Spreads Via MSN Messenger

vxone writes "Anti-virus experts are watching a new worm that spreads through Microsoft Corp.'s MSN Messenger client. The worm is not harmful to infected machines and has infected only a few PCs at this point, according to an analysis by Trend Micro Inc. Known as Jitux, the worm is self-propagating and contains a link to a Web site that automatically downloads an executable file named 'jituxramon.exe' to the PC. Once the file runs, the worm begins sending out copies of itself to all of the names in the user's Messenger contact list."

Jituxramon...

[eurleif]

Sounds like something from Pokemon.

Re:Jituxramon...

[Lord_Breetai]

Sounds like something from Pokemon.

Ah, it must be a Bug-type then.

So what does it actually do?

[gnu-sucks]

So let me get this straight, the virus infects a computer, and then infects other computers. Does the virus actually do anything?

As it stands, it sounds a lot like a slashdot discussion :p

Re:So what does it actually do?

[xkenny13]

So let me get this straight, the virus infects a computer, and then infects other computers. Does the virus actually do anything?

I would guess that this is the trial run, to validate the theory behind a virus spreading in this manner. Once they know it works, the next one will have a payload.

Re:So what does it actually do?

[wa5ter]

A friend of mine, who knows a bit about this kind of thing (no, he isn't) suggested that this is the kind of thing someone would do if they wanted to cause a lot of damage, but not get caught. The harmless version will be widely propogated, and then it's only a matter of time before some script kiddie loads up a far more harmful payload. This will probably be the person that takes the rap for the whole thing, leaving the original virus creator scott free.

Re:So what does it actually do?

[old_unicorn]

It downloads an executable froma website. Obviously the number of downloads increases as the virus spreads. If the virus is thought to be harmless people won't panic about clearing it out. Maybe when there are enough computers (PCs) transmitting the virus, the website owner will change the executable for the real payload, and wammee - fireworks. Or maybe not.

Re:So what does it actually do?

[zurab]

I would guess that this is the trial run, to validate the theory behind a virus spreading in this manner. Once they know it works, the next one will have a payload.

I've got one idea on what that payload could be. Disclaimer: I am not involved in and do not condone writing and distributing virii/worms, invading and abusing others' property, or any other illegal activities; it's just a thought that occurred to me while reading this thread.

Jitux, sounding a lot like "JIT (just-in-time) Linux" could carry a windows program that would accomplish following on each host:

0. Propagate;
1. Check whether host's hardware (modem, network card, etc.) and ISP connectivity are compatible and can be used in Linux;
2. Check for broadband connection;
3. If either (1) or (2) are false, propagate and do nothing else (exit);
4. Find an extra space on the hard drive and create one small and one or more larger new partitions; if no extra space is found (as is likely), quietly defragment and resize FAT32 or NTFS to free up space;
5. Place a small Linux bootable image on the small partition, and format other partitions;
6. Gradually, over the course of next few hours (or days) download and place common packages available for Linux on larger partition(s);
7. Once all required data has been downloaded, modify MBR to boot from the smaller Linux partition that was created.

On the following boot this should happen:

1. Display bootup screen similar to Windows; maybe display - "Windows is updating settings" while Linux is being set up on hardware and packages are being installed;
2. Copy settings from Windows partition - e.g., start menu items, background, O/OE settings, etc.; make sure to install comparable packages like OpenOffice.org, KMPlayer/Xine/etc., IMs with Linux; run whatever you can with WINE from Windows partition;
3. Boot into Linux with the WM/DE that looks as much like Windows as possible - adjusted KDE or GNOME - make sure the button says "Start" on it - that part is of utmost importance;
4. When they do "open -> my documents/pictures/music/etc." always display items from both Windows and Linux partitions; when they save, only save on Linux partitions; when duplicates occur only display files from Linux partition.

Voila! JIT Linux, or Jitux! Easier said than done (and I realize there could be problems), but if successful I am guessing 90% of home desktop users will not even notice any difference.

Disclaimer (again): I do not condone distributing virii/worms, etc. or illegally messing with others' property without permission. This was just an idea that occurred to me while reading this thread.

solution

[Barbarian]

Uhhh, shut down the website that the "worm" is sending a link to?

Helpful little program

[Raul654]

For anyone who has tried to uninstall MSN messanger, you know how much of a bitch it is. I recommend Windows XP antispy to get rid of it.

After all, (simpsonism) "no one who speaks german could be evil (/simpsonism) :)

Re:Helpful little program

[MacroRex]

With some help from Google it's no bitch at all.

Re:Helpful little program

"I recommend format c:\ then installing the Linux Distro of your choice."

Think of all the extra time you'll have when all your games stop working!

Re:Helpful little program

[SilverCanary]

It's not removed when you do that.
They simply make the executable a hidden file and remove the shortcut.
MSN will still work when you start the executable manually after "removing" it.
(Same goes for Outlook express btw).

Low risk

[Xenna]

It doesn't seem to be using any particular vulnerabilities in MSN. It depends on users to click on a URL they receive in a message.

Now what responsible user would do that. NAI's web site claims that the worm code itself has been removed from the web server, thus rendering the worm harmless:

http://vil.nai.com/vil/content/v_100931.htm

-- Update 31st December 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.web-user.co.uk/news/47502.html

This detection is for a worm intended to propagate via MSN Messenger instant messaging. The worm is written in Visual Basic.

It propagates by sending messages to the MSN messenger contact list. The messages contain a link to the worm itself:

http://www.home.no/( removed )/jituxramon.exe

When the link is clicked, the worm is downloaded to the target machine.

Note: at the time of writing the the worm was unavailable from this URL.

Not the first time

[jeremymh]

Around two years ago there was a similar virus for messenger. It was smarter, though, as whenever you open a chat window it would say to the other person "here are some pics I took last week" than request a file transfer of the virus (the virus ended in .jpg.exe). It didn't need a website to download from. I had to talk many people through the process of removing the virus. (it simply took a ctrl-alt-del to kill the program, then delete it from the recieved files folder) This virus didn't do anything either, the writer left a note in the virus (viewable through a hex editor) that it was just "to see if he could do it".

Re:This is why we use linux

[Sarojin]

Linux doesn't protect users from being idiots. Nothing can.

to remove msn messenger

[eonblueye]

copy and paste into a .bat file

@echo off
echo Removing Microsoft Messenger...
rundll32 advpack.dll,LaunchINFSection %WinDir%\inf\msmsgs.inf,BLC.Remove

echo Disabling it from running in the future...
echo REGEDIT4>%temp%\nomsngr.reg
echo
[HKEY_LOCAL_MAC HINE\SOFTWARE\Policies\Microsoft\Me ssenger\Client]>>%temp%\no
msngr.reg
echo "PreventRun"=dword:00000001>>%temp%\nomsngr.reg
echo "PreventAutoRun"=dword:00000001>>%temp%\nomsngr.re g
echo "PreventAutoUpdate"=dword:00000001>>%temp%\nomsngr .reg
echo "PreventBackgroundDownload"=dword:00000001>>%temp% \nomsngr.reg
echo "Disabled"=dword:00000001>>%temp%\nomsngr.re g
regedit /s %temp%\nomsngr.reg

run and bam! messenger is gone for good :)

Re:why is MS always the target?

AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...

Yes, they have.

Did you actually check before making that claim?

Re:The face of our attacker?

[Motherfucking+Shit]

What worm maker would link to a site that hosts their webcam as well?

Recall that the high school student who released a variant of MSBlaster - the variant which was purported to have affected no more than 7,000 or so computers - was caught because his modifications interacted with his own website. If "jberg" is actually the person who wrote Jitux, it wouldn't be the first time that a worm (if you'd call Jitux a worm) contains dead giveaways as to its author.

I think a lot of people who wind up unleashing worms are just playing around, seeing if it works. They aren't thinking about the consequences because they probably weren't intending to "release a worm" in the first place. Again operating under the assumption that the homepage you posted belongs to the Jitux author, it's quite possible that he wrote the code and sent it to a couple of friends to see if it would work. Before he knew what had happened, it was in the wild. The malicious file is apparently gone, so for all we know, he deleted it himself once he figured out that his creation was alive.

Naturally, all of this is speculation. It's equally possible, and perhaps even more likely, that the "jberg" user's FTP space has been compromised to host the malicious file.

New Worm: Bored_Friend

[gad_zuki!]

Status: Critical
Infection rate: Global

This worm usually begins like this, but many variations have been seen in both the wild and in the lab.

John: Yo wazzup?
Me: No time to chat. I'm a little busy, gotta do some work.
John: Then why is your IM on?
Me: Because I need it for work.

Soon the worm spreads.

Jane: Hey, why are you giving John the cold shoulder?
Me: Shit, I just want to get something done here. I'm sending someone a file with IM then I'm gone.
Jane: You're full of it. John knows you're still pissed at him about blah blah.

The worm may even infect unaffiliate third-parties.

Joe: Hey man, you don't know me, but I work with Jane at Curuthers and Magalby and the way you treat her and your so-called pal John is fucking bullshit. You shoud be ashamed of yourself.

Me: Seriously, I just want to get some work done here.

Joe: Yeah, like I'm going to trust a liar like you.

Fix: None.
Stopgap: Forever stop using IM with crazy paranoid social primates.

User intervention Part 2

[ChocolateCheeseCake]

Why is it when some one does something stupid on UNIX and screws their HDD, its the user that is blamed but when the user CHOOSES to run Windows and CHOOSES to run MSN and CHOOSES to have their default browser to be Internet Explorer, for some reason they're immune to this barrage of RTFM and instead it is Microsoft who gets the blame.

Sure, I love the Microsoft bashing mosh pit just as much as the next Mac/FreeBSD user, however, in all honesty, when is the end user going to take responsibility for their actions? doesn't this sound like the a-typical senario in the "real world", something bad happens and the government is blamed for not stopping the idiot from hurting themself.

The fact remains that the end user does VERY little to protect themselves. Sure, we'll have a chorus of ranters claiming that in their zyx operating system world, they would *NEVER* need that and through some miracle, some how their operating system of choice is immune to all vunerabilities.

The fact remains that no matter what operating system you run, you HAVE to take precautions. Run an anti-virus, make sure your software and virus definitions are updated, run a GOOD firewall and actually learn how to use the computer so that you can set up the firewall so that is it beneficial rather than a hindrance.

If you follow these VERY basic precautions, I would be VERY surprised if you get infected.

In a perfect world, one WOULDN'T need to take these precautions, software would be bug free, everyone would be honest Joe's and Jane's, however, that isn't the case, the fact is, the world is filled with losers, script kiddies and other parasites and unfortunately the only way to defeat these people is to make their conquests so meaningless that they'll go back to nicking car badges off cars and boasting to their friends about what level of "Rainbow Islands" they got up to on their SEGA.

Btw, does any one remember that game?