What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Messenger Plus! for Live Messenger » WLM Plus! Help » I've got some worm that only comes up when mnsplus is installed

Pages: (3): « First « 1 2 [ 3 ] Last »
I've got some worm that only comes up when mnsplus is installed
Author: Message:
Spunky
Former Super Mod
*****

Avatar

Posts: 3658
Reputation: 61
35 / Male / Flag
Joined: Aug 2006
RE: I've got some worm that only comes up when mnsplus is installed
It was not a vulnerability in Plus! It was probably whatever piece of crap is on your computer can't hook onto the WLM process properly and so gets detected...
<Eljay> "Problems encountered: shit blew up" :zippy:
10-12-2008 01:43 PM
Profile PM Find Quote Report
ShawnZ
Veteran Member
*****

Avatar

Posts: 3146
Reputation: 43
31 / Male / Flag
Joined: Jan 2003
RE: I've got some worm that only comes up when mnsplus is installed
quote:
Originally posted by SpunkyLoveMuff
It was probably whatever piece of crap is on your computer can't hook onto the WLM process properly and so gets detected...

wtf are you talking about :p
Spoiler:
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
the game.
10-12-2008 01:48 PM
Profile PM Web Find Quote Report
Dane
Non-Elite Member
*****

Avatar
Dont ask to ask, just ASK!

Posts: 1621
Reputation: 52
35 / Male / Flag
Joined: Dec 2002
Status: Away
RE: I've got some worm that only comes up when mnsplus is installed
So, I submitted the virus to Symantec, Eset, McAfee, and Trend Micro.  Trend Micro has responded with protection, and has provided the updated pattern file at its website. The new detection is for TROJ_BUZUS.AKK.  It is NOT related to Messenger Plus! Live in any way.

McAfee has now responded with the detection as GENERIC PWS.Y (Trojan) and has provided an updated DAT with detection on 10/10/2008 and suggests updating your virus definitions to detect this threat.

Symantec has now responded with the detection as W32.Kelvir and has issued new virus definitions on October 14th, 2008 protecting against this threat.

quote:
GENERIC PWS.Y Writeup @ McAfee

Overview -

This is a detection for many non-descript password stealing trojans.

Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Characteristics -

This detection covers many nondescript password stealing (PWS) trojans - typically one-off creations that have been received by Avert.  There are many variants of this trojan, and the specific actions taken are decided by the hacker who uses this trojan, so this description is meant as a general guide.

These trojan are designed to search for passwords when run on the victim's system, and return the passwords to the trojan creator. The specific type of password stolen varies from trojan to trojan, but can include the following:

Local or domain usernames/passwords Online banking numbers/username/passwords Dial-up numbers/usernames/passwords Email servers/usernames/passwords Insant Messenging usernames/numbers/passwords Online game credentials Any passwords typed at the keyboard.  This information may be captured by monitoring keystrokes or mouse movement throughout the infected system, or just in particular windows.  It may also gather information from registry entries or files on the system.  Once this information is gathered, it is sent to the trojan creator.  This information is most commonly sent by email, HTTP or IM, to the trojan creator.

Specific features and symptoms of the detected sample will vary.

It is common for trojans to copy themselves to a location where their presence is unobtrusive.  Most commonly, trojans will use the Windows or Windows System Directory (e.g. C:\Windows or C:\Windows\System32).  The trojan may use a stealthy filename to make itself appear to be a valid Windows file, or use a random filename to thwart searches for malicious filenames.  A registry entry may be created to run the malicious file again at Windows startup.


Symptoms -
Password stealers are stealthy by design so most users will not notice that one is installed.  Typically these PWS trojans will attempt to hook the victim computer's registry to load themselves at startup.  Some PWS trojans may have mail clients built in so that they can send logged information to the trojan creator.

Method of Infection -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

This post was edited on 10-14-2008 at 07:01 PM by Dane.
10-12-2008 08:26 PM
Profile PM Web Find Quote Report
JeanC
New Member
*


Posts: 11
Joined: Oct 2008
O.P. RE: I've got some worm that only comes up when mnsplus is installed
Thanks.
I will try to notify avast too.
10-13-2008 08:53 AM
Profile E-Mail PM Find Quote Report
Pages: (3): « First « 1 2 [ 3 ] Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On