Thursday, December 18, 2008

The MSN "Not A Phishing Worm"

This is a funny one actually :)
I am just working as usual when I got the following message on my MSN Messenger:
This is how real girls party. Great high quality pictures on
http://jusmineza.PartyPicturez.info
Now of course i understood that it's a worm, but still, lets see where it leads to.
So I went into the site and it looked like this:



















With what i have seen until now, this is a classic phising site, I saw dozens
like it for Yahoo! in the past. But wait! lets look at that GREY text blow:

Terms of Use / Privacy Policy:

By filling out this form, you authorize T P Ltd to spread the word about this new 100% real and upcoming Messenger Community Site. You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties. By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a "phishing" site that attempts to "trick" you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

This is a free service. You will not be asked to pay at any time. You will not be subscribed to anything asking for payment. This service is made possible by many hours of human effort.

T P Ltd reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, T P Ltd is NOT agreeing to MSN's terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

OK, they said in the text:
This is not a "phishing" site that attempts to "trick" you into revealing personal information.
So they don't want our usernames and password, which is also the EMAIL of most people, yeah I believe them, sure.

They just want to:
1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.
Which is completely different with what a worm does. A worm just spreads and "introduces", "entertaining" sites with a lot of porn and exploits.
By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us.
.....
ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED
Yeah why not, take my account and send spam "on behalf of third parties" and if they get like hacked or something, we are not responsible, you agreed to this.

I believe this should be called "Legal Phishing User Agreement" or "Worm As A Service".
It is also a little wiered that a "legal" domain called "partypicturez.info" is dealing with MSN accounts and not PICTURES FROM PARTIES and has unlimited(*.) subdomains and only 1 page, don't you think?!
Ofcourse they used the domain protection:
Registrant Email:9648af2d68114548bfc703cca6806a46.protect@whoisguard.com
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard
Well, don't fill any form you see without reading the small (and in this case GREY) prints :)

Update:
The messages are updated by the hour, these ones are specific for xmas.
Any file or subdomain in win-win-it.com redirects to http://www.desktopsmiley.com/go.do?a=814
The same worm also sends this message:

"[msn_dst_user], claim your Prize!
http://[msn_src_user].win-win-it.com/winner.php"

And

congratulations [msn_dst_user]!!!
http://[msn_src_user].accept-your-gift.com/winner.php

And

merry XMAS heres your gift
http://[msn_src_user].specialofferforyou.info/gift.php

And

[msn_dst_user], claim your Xmas Card!
http://[msn_src_user].greeting-cardss.com/xmas.php

And

http://freegiftznow.com/xmas.php
And
[msn_dst_user], see the pics from yesterday's christmas party what do u think?
http://[msn_src_user].yourimagez.com/xmas.php
And this one, which redirects to http://www.xxxblackbook.com
Mmmm Babe!

Just got myself a naughty profile here. You should check me out before its too late!

http://www.theblogboards.com/profiles.php
And this one which is misconfigured and will not work the the subdomain contains an "_"
http://[msn_src_user].crazy-new-year-party-pics.com
And
http://nu-years.awesomeofferz.com
And
http://[msn_src_user].real-cool-newyear-party-pics.com
And
Claim your Prize! EXPIRY: TODAY!!!! Hurry
http://mypoemstoyou.com/winner.php
And
see pictures of me naked & fucking all night long!! LOL
http://www.seex4u.com/collegepics.php
And
see my 2009 new years party album i uploaded here <:o)<:o) http://2009-newyear-party-pics.com/party.php
And this which redirects to http://www.naughty-nightz.com/
see this blog
http://theblogboards.com/blog.php
And
hey babe... i created a profile here with some of my secret pictures.... dont wait too long .... signup to see!
http://www.date-me-now.com/myprofile.php

Which is also registered by WHOISGuard.
Both these websites were built to make people download this:
http://www.desktopsmiley.com/toolbar/desktopsmiley/download/stb_installer.exe

Which they claim is:

"Download DesktopSmiley to get 1000's of FREE Smileys!
It's totally FREE! No Registration. No Spyware."

Yes, a toolbar advertised by a WORM is not spyware, sure...
The example above was version 2.0c. It seems these guys used different methods and different domains and different company names in the older versions (which is typical to viruses and spyware but not to legitimate software).
The following example belongs to an older version 1.1c whi MSN message:

foto http://hi5.eu.com/id.php?=[dst_user_email]
Which prompts a download for "IMG455.jpg-www.photo.com" which is an EXE file with a COM extension and where ran "True Type Detection" will be made by windows loader and it will execute as the regular EXE file it is.
Those people don't care a bit and they left "Directory Browsing" open in the subdomain's root, check it out at: http://hi5.eu.com/
They even forgot to remove their private packer from the site: http://hi5.eu.com/pa-packer.rar

They also have a version at: http://new.upicx.com/ (which i think just went down...)
Which loads " http://new.upicx.com/indexx.php" and " http://new.upicx.com/pop.php" and VERIFYS the request's REFERER is " http://new.upicx.com/" so direct reference to these files returns "404 Not Found".

6 comments:

arkon said...

"Legal Phishing User Agreement"
lol :(
sad but true

hypacore@hotmail.com said...

A friend's MSN account is sending this out - how does he clean this up?

Random.Penguin said...

LOL Half my friends have this, and I told them something on the lines of what you said. Good to have someone who understands... Everyone happens to fall for the naked pics and wut not... hey ill ttyl. gud to know you.

Anonymous said...

Is it enough just to change your password on the account, or has the account been compromised? I deleted one MSN account that was sending out these messages. Now I am getting them from another friend. He doesn't want to delete his Hotmail account.

Rafel Ivgi said...

If you didn't install any of their DesktopSmiley like Spyware then all you need to do is change log out your active msn session, log in, change your password and verify that your "password retrieval email address" is still your address :)

jimi123 said...

hi ive read a lot of posts by techs concerning desktop smiley, it stays on your pc after deleting normally.
But as the readings are very interesting nobody seems to know how to eradicate the infestation, only antispyware i found was "exterminate it" which found the files but wont fix unless you pay, fair enough but theres nothing out there that can do it for free (as far as i know)