SWINSON-L ArchivesArchiver > SWINSON > 2002-02 > 1013661323
From: "John A Hansen" <>
Subject: [SWINSON] FW: New MSN Messenger Worm > Not Cool
Date: Wed, 13 Feb 2002 20:35:23 -0800
Here is a real early warning of a new Virus fresh from the
testing Labs. You already know about not opening
attachments etc from people you don't know etc etc.
The format of this new worm has been in development for
some time and you have all heard me talk and write
So don't open any URL's that you don't know.
The AV software programs may be late as well in
getting updates out quick enough. But at least
update your AV software 2 to 3 times a week for the
next few weeks. I do mine daily. There is a scheduler
on most AV software and I just have it set to automatically
download the latest every night at 3 am.
While the first pass here may only be a "show off" piece
I have seen vicious programs with deadly payloads that
really do some damage and obtain key info that is then
forwarded to foreign locations.
The first wave will probably be labeled xxxxx.cool.html
So watch for the "cool" part first. Later the url will
carry other words or links that are designed to appeal
to you in some way. Our genealogy hobby will be
Be suspicious. Just because you're paranoid doesn't
mean that there isn'tsomeone out to get you. Being
paranoid about virii may keep you out of trouble..
This wave of virus attempts may be around for awhile.
John A Hansen
From: Drew Smith [mailto:]
Sent: Wednesday, February 13, 2002 5:10 AM
Subject: New MSN Messenger Worm
Ok, let's try this again, with a little more time spent on my side. ;)
Tried to submit this earlier today, but got bounced for attaching the
worm source to the message. So, this time, I'm attaching a URL instead,
where you can go get the source if you want to see it.
This worm *ripped* through our office today - it's one part flaw in
Microsoft's security model and one part social engineering; it is a
NON-MALICIOUS worm, but it effectively proves the concept, and I don't
foresee more than a week or two before there's a nasty version.
We've been calling it the "cool worm", after the original filename,
I said *ripped*. I meant it. 40 people affected/infected in under 30
seconds. That's the dangerous part, I didn't even have time to go to
the other room to let coworkers know what was up.
The worm shows up as an MSN Messenger message that says "Go To
http://www.masenko-media.net/cool.html NoW !!!". The user, obviously,
clicks the URL, which takes them to the site, where the malicious code
sits. The code opens the MSN Contacts list, then messages every contact
with the message "Go To http://www.masenko-media.net/cool.html NoW
Think about that for a second.
Anyhow - the worm does nothing nasty, but the source to the (now down)
masenko-media.net site also mails the hostname and user agent of the
connecting host to "".
Looks to me like an experiment that got loose from the lab, but it
demonstrates a *dangerous* flaw. Why can a webpage open the contacts
list in the first place? What other hooks does MSN Messenger provide?
Can you harvest email addresses from a contact list?
Too many scary implications.
Worm source (with a few important lines removed, so that it doesn't
start popping up *everywhere*), available at:
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
|[SWINSON] FW: New MSN Messenger Worm > Not Cool by "John A Hansen" <>|