Hi, The actual executable for this MSN worm is hidden in a .jpg file.
[image: picture.PNG] <http://blog.spywareguide.com/MSNAgent/picture.html> *The reason there is no preview available is that this isn't a picture, but executable code in the guise of a picture file.* The thing that makes this so interesting is the length at which the attacker is willing to go in order to hide themselves from detection of commonly used security applications. Only by using certain tools can you see the threat running behind the scenes. Here you can see an ominously almost legitimate application running called "MSNAgent". [image: txtfile.PNG] <http://blog.spywareguide.com/MSNAgent/txtfile.html> *MSN Agent starts up when the computer boots up.* * * MSNAgent has the ability to connect to a remote server for the purposes of stealing your MSN username and password. The file "gf1008.exe" is originally saved in the Temporary Internet Files to avoid too much suspicion. Its on the Desktop in this example for the purposes of testing. [image: autostart.PNG]<http://blog.spywareguide.com/MSNAgent/autostart.html> *his is shown to the user whenever the computer is restarted.* Taking a closer look at gf1008.exe shows you the following: [image: bintext.PNG] <http://blog.spywareguide.com/MSNAgent/bintext.html> *You can see here that this file is directly related to the autostart value "MSNAgent". It also shows us that it's trying to make a connection to a remote server as well as get the user to change their password presuming for the purpose of phishing the user.* * * Attempting to find this threat running with other free security apps might be a problem. Hijackthis: [image: Thumbnail image for hijackthis.PNG]<http://blog.spywareguide.com/hijackthis-thumb-599x5312.html> Regcrawler: [image: Thumbnail image for regedit.PNG]<http://blog.spywareguide.com/regedit-thumb-717x466.html> *MSNAgent can't be found in the registry through traditional means either.* Hijackthis is one of the common security applications used to verify if there is an infection when users try to get help from other users on a forum. Most of the time, Hijackthis is the first step when trying to find the threat. -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
