It’s the universal come back. No matter what insult is thrown your way, you can always escape just by saying “your momma” *.So I had to laugh when we received a variant of an MSN worm thatentices would be victims with “lol, your mom just sent me thispicture?” Even funnier was the fact that the bot operator infectedhimself with his own worm.
This variant of the worm has been named W32.Scrimge.E. The worm isn’t restricted to just the one question, either, offering up any one of these goodies:
- Did you take this picture?
- Is that you on the left?
- How drunk was I in this picture?
- Is that your mom in this picture?
- lol, your mom just sent me this picture?
It was “your mom,” however, that caught our attention, as the wormseems to be getting a bit more refined from previous incarnations whenthe phrases were not quite as catchy, unless of course you like cutepuppies:
- * look @ my cute new puppy :-D
- * look @ this picture of me, when I was a kid
- * I just took this picture with my webcam, like it?
- * check it, i shaved my head
- * have u seen my new hair?
- * what the ____, did you see this?
- * hey man, did you take this picture?
The way the worm works is to send one of its messages at random to theinfected user’s online MSN contacts. The message is then followed by aprompt to receive the file img807.zip:
The zip file contains a file named “img807.jpg-www.photoalbums.com”,which is obviously not an image file, but is instead an executable. Theexecutable file extension .com is used instead of the more readilyrecognizable .exe extension in an attempt to fool users into thinkingthat the file is innocuous.
Along with the fact that the filename takes the form of a URL, thisconfusion tactic (between .com for URLs and .com for executables) willprobably work in a large number of cases.
This new file name is also an improvement on previous variants of theworm. W32.Scrimge.A for example used a .scr extension instead toconfuse users (although not significant to this discussion,W32.Scrimge.A used the filename img1756.zip, instead of img807.zip):
Of course the worm is capable of more actions than solely spreadingitself over MSN; it connects to an IRC server, “vpn.basecore.info,” andwaits to receive commands, which can include:
- Starting / stopping spreading via MSN
- Launching denial of service attacks
- Removing itself completely from the infected computer
- Removing itself until the next reboot
- Removing itself for 24 hours
- Updating itself
- Downloading new executables
- Starting/stopping programs on the infected machine
The worm also sends information to the control server about what actions the worm took, here are some sample messages:
- MSN spread has been activated.
- Attempting to run MSN spread
- MSN spread has been deactivated.
- MSN worm sent to: xx contacts
- Status:. Box Uptime: xx, Bot Uptime: xx, Connected for: xx.
- !!!Security!!!. Lamer detected. coming back in 24hrs, download and update
- !!!Security!!!. Lamer detected. coming back next reboot, cya.
- Download
- Update
During testing of the worm, a connection to the control server wasestablished. After waiting for some time in the control channel, twobot operators logged in and started chatting to each other about theirbot networks. The conversation was quite funny as one operator wascomplaining because his worm (w32.Scrimge.E) contained a programmingerror that forced the infected machines to disconnect from the IRCcontrol channel. It’s also humorous that these two operators don’t seemto quite know what’s going on; plus, I love the sentence “imma test aboat”). Here is part of their conversation:
Click image for larger version
The conversation got even funnier when one operator confessed to theother that he had in fact infected himself with his own worm and washaving difficulty stopping it.
The two operators had been talking in MSN Messenger themselves, andone then pastes some MSN text into the IRC channel exposing their MSNnicknames:
* Logging for ##L## started
[x2] that this new bot Cybix ?
[Cybix] no
[Cybix] i duno what bot this is
[Cybix] rofl
[x2] lol
* Cybix sets mode: -M
[Cybix] wait for it
[Cybix] lol
[x2] lol
[x2] okay
[x2] :D
[x2] //mode $me -s
[Cybix] .msn
[x2] lol
[x2] no login ?
[x2] now
[x2] lol
[Cybix] no
[x2] nice
[x2] xD
[Cybix] LOL, you look so ugly in this picture, no joke...
[Cybix] rofl
[Cybix] wtf
[x2] ?
[x2] you are infected ?
[x2] xD
[x2] lol
[Cybix] yea
[Cybix] i infected myself
[x2] :/
[x2] lol
[Cybix] its still going
[Cybix] wtf
[x2] nice spread Cybix
[x2] lol
[Cybix] .remove
[x2] photo234.zip
[x2] xD
[x2] lol
[x2] really nice
[Cybix] you got it?
[x2] Marcus Says envoie :
[x2] Accepter(Alt.+C) Enregistrer sous...(Alt.+S) Refuser(Alt.+D)
[x2] KOR0SiF dit :
[x2] lol
[Cybix] did i say anything
[Cybix] or just send the file
[Cybix] .login version
[Cybix] .remove
[x2] just send files
So Cybix = Marcus and x2 = K0r0SiF, plus x2 is probably French-speaking since he or she is using a French version of MSN :
[Cybix] you got it?
[x2] Marcus Says envoie :
[x2] Accepter(Alt.+C) Enregistrer sous...(Alt.+S) Refuser(Alt.+D)
[x2] KOR0SiF dit :
[x2] lol
The infected machines are controlled by changing the topic of theIRC channel; for example, in the following screenshot the topic hasbeen changed to “.msnstart”, instructing all infected machines that areconnected to the channel to start sending themselves to their infecteduser’s contacts:
We monitored the channel further and saw both Cybix and x2 release anew variant each (we detected these as W32.Scrimge.G andW32.Scrimge.Gen). This was an attempt to fix the problem whereby theworm crashes after connecting to the IRC channel.
So, to Cybix and X2, I can’t resist saying thanks for entertaining us here and, also, “Yo Momma’s so ... [insert joke here]”
Further technical details about this worm can be found in the write-ups for
W32.Scrimge.A and
W32.Scrimge.E.