Posts: 2497 Reputation: 37
37 / /
Joined: Aug 2003
O.P. Live Messenger Plus update mail contains Trojan [mess.be post]
quote:Originally posted by mess.be
An e-mail is being spammed around inviting users to download an updated version of Live Messenger Plus, supposedly an application which protects the user against a virus that spams instant messages to online contacts. Not to be confused with Messenger Plus! Live, this is actually a non-existent piece of software but a Trojan recognised by antivirus vendors as Mal_Banker (TrendMicro), Trojan.Downloader.Banker.BS (BitDefender) or W32/Banload.A.gen!Eldorado (F-Prot) to name a few.
Websense Security Labs, who discovered the attack yesterday, issued an alert with the following details:
The URLs provided in the email redirect the user to a two-stage downloader named dsc.scr. As a distraction for the user, a dialog box is displayed explaining that the user will be redirected to msn.com.br. A browser then opens pointing to this site. The downloader first contacts hxxp://*snip*ario.com/games_06.jpg, and then hxxp://*snip*ario.com/games_04.jpg, adding the two files to the root of C:
A scheduled task is then created, and modifications are made to autoexec.bat to disable GBPlugin and other tools promoted by Brazilian banks to protect against such keyloggers and other malware. Details on other malicious applications targeting this security software can be found in our previous blog on G-Buster Browser Defence. The malware then goes on to conduct information-stealing activities.
>> More details (and a screenshot) at Websense.
Seeing how the name is so close to Messenger Plus! Live, i thought i'd post this here to avoid mass posting about it in the future from confused people.