Update: The worm is now also sending the message "URGENT - Go to http://users.skynet.be/dark.angel/cool.htm" -- Nathan Einwechter ----- Original Message ----- From: Drew Smith <drewat_private> To: <incidentsat_private>; <bugtraqat_private> Sent: Wednesday, February 13, 2002 8:09 AM Subject: New MSN Messenger Worm > > Heya folks, > > Ok, let's try this again, with a little more time spent on my side. ;) > Tried to submit this earlier today, but got bounced for attaching the > worm source to the message. So, this time, I'm attaching a URL instead, > where you can go get the source if you want to see it. > > This worm *ripped* through our office today - it's one part flaw in > Microsoft's security model and one part social engineering; it is a > NON-MALICIOUS worm, but it effectively proves the concept, and I don't > foresee more than a week or two before there's a nasty version. > > We've been calling it the "cool worm", after the original filename, > "cool.html". > > I said *ripped*. I meant it. 40 people affected/infected in under 30 > seconds. That's the dangerous part, I didn't even have time to go to > the other room to let coworkers know what was up. > > The worm shows up as an MSN Messenger message that says "Go To > http://www.masenko-media.net/cool.html NoW !!!". The user, obviously, > clicks the URL, which takes them to the site, where the malicious code > sits. The code opens the MSN Contacts list, then messages every contact > with the message "Go To http://www.masenko-media.net/cool.html NoW > !!!". > > Think about that for a second. > > Anyhow - the worm does nothing nasty, but the source to the (now down) > masenko-media.net site also mails the hostname and user agent of the > connecting host to "mmargaeat_private". > > Looks to me like an experiment that got loose from the lab, but it > demonstrates a *dangerous* flaw. Why can a webpage open the contacts > list in the first place? What other hooks does MSN Messenger provide? > Can you harvest email addresses from a contact list? > > Too many scary implications. > > Worm source (with a few important lines removed, so that it doesn't > start popping up *everywhere*), available at: > > http://riotnrrd.com/cool-source.zip > > Cheers, > - Drew. > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 19:59:15 PST