Effects
The main objective of MSNWorm.IE is to spread via instant messaging programs in order to affect as many computers as possible.
Additionally, it carries out the following actions:
- It attempts to connect to the following website in order to download updates of itself or to send information about the computer:
team<blocked>iosys.com - It adds to the list of the authorized applications by the firewall, in order to avoid being blocked.
Infection strategy
MSNWorm.IE creates the following files:
- MSNMLS.EXE, in the Windows directory. This file is a copy of the worm.
- A.TXT, in the root directory of the C: drive.
MSNWorm.IE creates the following entries in the Windows Registry to add itself to the list of authorized applications by the firewall:
- HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
%path where the original file has been run%\photo180410-jpg-www-facebook-com.scr_.scr = %path where the original file has been run%\photo180410-jpg-www-facebook-com.scr_.scr:*:Enabled:Userinit - HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
%path where the original file has been run%\photo180410-jpg-www-facebook-com.scr_.scr = %path where the original file has been run%\photo180410-jpg-www-facebook-com.scr_.scr:*:Enabled:Userinit
MSNWorm.IE modifies the following entry from the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Userinit = %sysdir%\userinit.exe,
where %sysdir% is the Windows system directory.
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Userinit = %sysdir%\userinit.exe,%windir%\msnmls.exe
where %windir% is the Windows directory.
By modifying this entry, MSNWorm.IE ensures that it is run whenever Windows is started.
Además, modifies the following entries from the Windows Registry related to the Windows firewall service, in order to access the Internet without being blocked:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
Epoch - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch
Epoch
Means of transmission
MSNWorm.IE spreads via the instant messaging program MSN Messenger. In order to do so, it follows the routine below:
It sends an instant message convincing users to see a photograph. This message contains a link which seems to point to a Facebook image, as can be seen in the following image:
- Additionally, it uses messages in different languages depending on the language of the operating system of the affected computer.
- The following are some examples of the variety of languages it can use. These messages contain a link to a malicious website:
English: seen this?? :D
look at this picture :D
Spanish: mira esta fotografia :D
Portuguese: olhar para esta foto :D
French: regardez cette photo :D
German: schau mal das foto an :D
Italian: guardare quest'immagine :D
Dutch: bekijk deze foto :D
Sweedish: titta pσ min bild :D
Danish: ser pσ dette billede :D
Norwegian: se pσ dette bildet :D
Finish: katso tΣtΣ kuvaa :D
Slovenian: poglej to fotografijo :D
Slovak: pozrite sa na tto fotografiu :D
Chzech: podφvejte se na mou fotku :D
Polish: spojrzec na to zdjecie :D
Romanian: uita-te la aceasta fotografie :D
Hungarian: nΘzd meg a kΘpet :D
Turkish: bu resmi bakmak :D - If users access this link, a copy of the worm will be downloaded to the affected computer.
- Then, it sends a similar instant message to all the users that are connected at that moment.
Further Details
MSNWorm.IE is 126,976 bytes in size.