New MSN worm variant - In the Wild

2008-02-14T06:50:00.000-08:00

Today, I got a zip file as an attachment (named as "image014.zip with saying "have you seen the newest iphone? its so amazing check it out") through MSN Messenger from one of my friend's email-ID. There it looks suspicious (later confirmed that he didn't send) to me and further downloaded the file for analysis. After extraction, there was a file named "image016.JPG-www.facebook.com".

Its actually a new variant of MSN worm which is in the wild (more similar to this one) where as 3 AV's detected as per the virustotal result. The detected worm's name looks like that AV's have created a generic (based on the behaviour) signature for it.

Antivirus Setup File infected by VIRUT variant

2008-02-11T23:19:00.001-08:00

Update: After reporting this issue to their Technical support, now they have changed the infected binary file (removed exactly the Extradat section from the whouses.exe file) and below is the result shown by virustotal.

When I download NetProtector 2008 trial version from Pune(INDIA) based Antivirus company's website, one of the file looks malicious to me. Then I picked that file "whouses.exe" and after analyzing I found that its infected by one of the VIRUT variant but not active, as its code is in the last section of the file (extradat section with no reference to it).

Later, I uploaded to VirusTotal for further results from other antivirus products and result was scary.

Flagging virus onto one of the file of an antivirus product itself is scary and shows the carelessness from the security firm which is supposed to protect their users from the malicious programs.

It shows that one of their development machine could have been infected by virus and finally the result is Antivirus product itself infected!!!

Security Research Blog

New MSN worm variant - In the Wild

Antivirus Setup File infected by VIRUT variant