Re: New MSN Messenger Worm

["Nathan Einwechter" <nathane () fatelabs com>]

Update: The worm is now also sending the message

"URGENT - Go to http://users.skynet.be/dark.angel/cool.htm";

-- Nathan Einwechter

----- Original Message -----
From: Drew Smith <drew () eastvan bc ca>
To: <incidents () securityfocus com>; <bugtraq () securityfocus com>
Sent: Wednesday, February 13, 2002 8:09 AM
Subject: New MSN Messenger Worm


> Heya folks,
>
> Ok, let's try this again, with a little more time spent on my side. ;)
> Tried to submit this earlier today, but got bounced for attaching the
> worm source to the message.  So, this time, I'm attaching a URL instead,
> where you can go get the source if you want to see it.
>
> This worm *ripped* through our office today - it's one part flaw in
> Microsoft's security model and one part social engineering; it is a
> NON-MALICIOUS worm, but it effectively proves the concept, and I don't
> foresee more than a week or two before there's a nasty version.
>
> We've been calling it the "cool worm", after the original filename,
> "cool.html".
>
> I said *ripped*.  I meant it.  40 people affected/infected in under 30
> seconds.  That's the dangerous part, I didn't even have time to go to
> the other room to let coworkers know what was up.
>
> The worm shows up as an MSN Messenger message that says "Go To
> http://www.masenko-media.net/cool.html NoW !!!".  The user, obviously,
> clicks the URL, which takes them to the site, where the malicious code
> sits.  The code opens the MSN Contacts list, then messages every contact
> with the message "Go To http://www.masenko-media.net/cool.html NoW
> !!!".
>
> Think about that for a second.
>
> Anyhow - the worm does nothing nasty, but the source to the (now down)
> masenko-media.net site also mails the hostname and user agent of the
> connecting host to "mmargae () wanadoo nl".
>
> Looks to me like an experiment that got loose from the lab, but it
> demonstrates a *dangerous* flaw.  Why can a webpage open the contacts
> list in the first place?  What other hooks does MSN Messenger provide?
> Can you harvest email addresses from a contact list?
>
> Too many scary implications.
>
> Worm source (with a few important lines removed, so that it doesn't
> start popping up *everywhere*), available at:
>
> http://riotnrrd.com/cool-source.zip
>
> Cheers,
> - Drew.
>
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com