You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Premium Assistance

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

MSNWorm.IE

Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

The main objective of MSNWorm.IE is to spread via instant messaging programs in order to affect as many computers as possible.

Additionally, it carries out the following actions:

  • It attempts to connect to the following website in order to download updates of itself or to send information about the computer:
    teamiosys.com
  • It adds to the list of the authorized applications by the firewall, in order to avoid being blocked.

Infection strategy 

MSNWorm.IE creates the following files:

  • MSNMLS.EXE, in the Windows directory. This file is a copy of the worm.
  • A.TXT, in the root directory of the C: drive.

 

MSNWorm.IE creates the following entries in the Windows Registry to add itself to the list of authorized applications by the firewall:

  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
    %path where the original file has been run%\photo180410-jpg-www-facebook-com.scr_.scr = %path where the original file has been run%\photo180410-jpg-www-facebook-com.scr_.scr:*:Enabled:Userinit
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
    %path where the original file has been run%\photo180410-jpg-www-facebook-com.scr_.scr = %path where the original file has been run%\photo180410-jpg-www-facebook-com.scr_.scr:*:Enabled:Userinit

 

MSNWorm.IE modifies the following entry from the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    Userinit = %sysdir%\userinit.exe,

    where %sysdir% is the Windows system directory.
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    Userinit = %sysdir%\userinit.exe,%windir%\msnmls.exe

    where %windir% is the Windows directory.
    By modifying this entry, MSNWorm.IE ensures that it is run whenever Windows is started.

Además, modifies the following entries from the Windows Registry related to the Windows firewall service, in order to access the Internet without being blocked:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
    Epoch
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch
    Epoch

Means of transmission 

MSNWorm.IE spreads via the instant messaging program MSN Messenger. In order to do so, it follows the routine below:

It sends an instant message convincing users to see a photograph. This message contains a link which seems to point  to a Facebook image, as can be seen in the following image:

Instant message sent by MSNWorm.IE

  • Additionally, it uses messages in different languages depending on the language of the operating system of the affected computer.
  • The following are some examples of the variety of languages it can use. These messages contain a link to a malicious website:
    English: seen this?? :D
               look at this picture :D
    Spanish: mira esta fotografia :D
    Portuguese: olhar para esta foto :D
    French: regardez cette photo :D
    German: schau mal das foto an :D
    Italian: guardare quest'immagine :D
    Dutch: bekijk deze foto :D
    Sweedish: titta ps min bild :D
    Danish: ser ps dette billede :D
    Norwegian: se ps dette bildet :D
    Finish: katso tStS kuvaa :D
    Slovenian: poglej to fotografijo :D
    Slovak: pozrite sa na tto fotografiu :D
    Chzech: podfvejte se na mou fotku :D
    Polish: spojrzec na to zdjecie :D
    Romanian: uita-te la aceasta fotografie :D
    Hungarian: nTzd meg a kTpet :D
    Turkish: bu resmi bakmak :D
  • If users access this link, a copy of the worm will be downloaded to the affected computer.
  • Then, it sends a similar instant message to all the users that are connected at that moment.

Further Details  

MSNWorm.IE is 126,976 bytes in size.

Technical Support

Panda Quick Start

Panda Quick Start

Let our experts install, activate, configure and customize your Panda's antivirus solution.
[+] info

Panda Remote Virus & Spyware Removal

Servicio de Asistencia de Desinfección

Let our experts access remotely to your PC, scan it and remove all viruses and spyware detected.
[+] info