Re: Will this work??

From: Patrick Dickey (pd1ckey43_at_msn.com.removethis)
Date: 09/10/05 

Date: Sat, 10 Sep 2005 13:21:19 -0500

Mackster wrote:
> Hi,
> Just a question if this theory will work, if not, then it was worth a try
> asking :-)
> Currently Microsoft offers MSN Messenger, yahoo offer the Yahoo Messenger,
> and their are other such products. In all these chat products their is a
> facility to use them using a HTTP proxy, the information and settings for
> which are stored in the Registry (using regedit you can find it).
> What if a worm was made, which created a proxy on the infected machine,
> changed the registry settings such that the HTTP proxy was said to use
> 127.0.0.1 as the Proxy server, and any port can be used. Now, taking MSN
> Messenger as an example, if the Worm lets say ran the proxy on Port 1999 and
> changed the registry for MSN Messenger to use to connect to the internet
> using HTTP proxy on port 1999. Now, as the MSN will connect through the Worm
> Proxy, the worm will have the data incoming and outgoing being sent by the
> MSN messenger, so
> 1. A window can be opened on the Chat data and the data can be captured
> To spread, MSN messenger offers the user to transfer files, as now the Worm
> can have a look at the data being sent and recieved by the Messenger, it can
> easily modify the file being sent and attach itself or rather send itself
> first instead of the file, or send itself by attaching the file being sent
> underneath it to infect the other PC to which the file is being transferred
> over MSN.
> Once on the other PC, if the file being sent is an executable, or let say if
> the file being sent was a zip file, called filexxxx.zip, the worm changes the
> file, attaches the zip file underneath it, renames the file to
> filexxx.zip.pif. When the User on the other side of the chat clicks on the
> file being sent, the worm gets executed, which first makes the required
> changes so that it Loads as soon as Windows starts and changes the settings
> for next time. It sent extract the actual file being sent and executes the
> appropriate command to open the file, so that the user does not know that a
> worm was executed on his / her machine.
>
> This is just an idea, and I am not that sure this can be done, but if this
> can be done, wont it have the potential of infecting a whole lot of
> computers, and from the Worm Proxy, this can be used to become a backdoor or
> a trojan.
>
> Well, just an idea. Will this work ???
>

In theory, this would work. However, in the instance of MSN Messenger,
a lot of file types are being blocked. So, if the worm uses one of
those types, the person who is already infected *should* get a message
saying that Messenger blocked the sending of potentially unsafe file...."

Basically at this point in time, EVERYTHING that could possibly execute
on your computer (exe, bat, com, pif, cmd, vbs (I believe, as I haven't
tried this), etc.) are blocked.

But, like I said.. In theory this would work. I know MSN Messenger also
uses your Internet Explorer options. But, I'm not sure about Yahoo at
all, or AIM for that matter.

HTH 

-- 
Patrick Dickey <pd1ckey43@removethis.msn.com>
http://www.pats-computer-solutions.com
Smile..  someone out there cares deeply for you.