Re: New MSN Messenger Worm
From: Nathan Einwechter (nathane@fatelabs.com)Date: 02/14/02
- Previous message: Rocky Stefano: "RE: New MSN Messenger Worm"
- In reply to: Drew Smith: "New MSN Messenger Worm"
- Next in thread: Bill Schalck: "Re: New MSN Messenger Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Nathan Einwechter" <nathane@fatelabs.com> To: <Incidents@SecurityFocus.Com> Date: Wed, 13 Feb 2002 21:47:00 -0500
Update: The worm is now also sending the message
"URGENT - Go to http://users.skynet.be/dark.angel/cool.htm"
-- Nathan Einwechter
----- Original Message -----
From: Drew Smith <drew@eastvan.bc.ca>
To: <incidents@securityfocus.com>; <bugtraq@securityfocus.com>
Sent: Wednesday, February 13, 2002 8:09 AM
Subject: New MSN Messenger Worm
>
> Heya folks,
>
> Ok, let's try this again, with a little more time spent on my side. ;)
> Tried to submit this earlier today, but got bounced for attaching the
> worm source to the message. So, this time, I'm attaching a URL instead,
> where you can go get the source if you want to see it.
>
> This worm *ripped* through our office today - it's one part flaw in
> Microsoft's security model and one part social engineering; it is a
> NON-MALICIOUS worm, but it effectively proves the concept, and I don't
> foresee more than a week or two before there's a nasty version.
>
> We've been calling it the "cool worm", after the original filename,
> "cool.html".
>
> I said *ripped*. I meant it. 40 people affected/infected in under 30
> seconds. That's the dangerous part, I didn't even have time to go to
> the other room to let coworkers know what was up.
>
> The worm shows up as an MSN Messenger message that says "Go To
> http://www.masenko-media.net/cool.html NoW !!!". The user, obviously,
> clicks the URL, which takes them to the site, where the malicious code
> sits. The code opens the MSN Contacts list, then messages every contact
> with the message "Go To http://www.masenko-media.net/cool.html NoW
> !!!".
>
> Think about that for a second.
>
> Anyhow - the worm does nothing nasty, but the source to the (now down)
> masenko-media.net site also mails the hostname and user agent of the
> connecting host to "mmargae@wanadoo.nl".
>
> Looks to me like an experiment that got loose from the lab, but it
> demonstrates a *dangerous* flaw. Why can a webpage open the contacts
> list in the first place? What other hooks does MSN Messenger provide?
> Can you harvest email addresses from a contact list?
>
> Too many scary implications.
>
> Worm source (with a few important lines removed, so that it doesn't
> start popping up *everywhere*), available at:
>
> http://riotnrrd.com/cool-source.zip
>
> Cheers,
> - Drew.
>
>
>
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com >---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Rocky Stefano: "RE: New MSN Messenger Worm"
- In reply to: Drew Smith: "New MSN Messenger Worm"
- Next in thread: Bill Schalck: "Re: New MSN Messenger Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
