MSN virus in the eyes of anti-virus expert

MSN virus refers to those who send a poisonous file or a poisonous Web page link through MSN, the malicious program that realizes self propagation. Most of the MSN virus workflows are fairly similar and are grouped into the following 3 steps:

1, the virus obtains the user's MSN Friend list, sends the virus file or the malicious website to each friend;

2, when the MSN friends to receive running virus files, or click on a malicious Web site, infected;

3, the virus in each friend's machine, and began the steps 1~3 workflow.

With MSN Instant Messaging and a large user profile, many MSN viruses are infected with a large number of users in a short time (several hours). For viruses, MSN is a communication platform, so it is more accurate to call them MSN worms.

As far as I know, the first MSN worm appeared in the April 2001 I-worm/funny, also known as Worm.hello, because it will send a file called "Hello.exe" via MSN. In the 2001, I was reading computer department at university, and I just heard a little about MSN, and the students hardly ever use it. At that time, the number of MSN users in China is very small, so the virus has little impact on domestic users.

With the increase in the number of MSN users in the country, the MSN worm family of "descendants" of the harm, the impact of far more than the "pedigree."

December 2003, Jiangmin Company intercepted Flooder.MSN.Convont, after running will send to all MSN friends "Today I invite you to eat", "I love You, My Baby", "I Love you." Darling "and other information. It does not take the initiative to spread itself out, so it is not a worm, but a hoax program. Even so, on December 11, 2003, I received 4 or 5 "invitations to dinner" from my friends. July 2004, another very similar sample was intercepted by--flooder.msn.marry, which sent the message "I am married Tomorrow".

Early in the domestic MSN virus is mostly this type of prank, they will not spread through MSN, and will not cause any damage to the system, the only function is annoying.

By contrast, MSN viruses from abroad are more mature over the same period. July 2004, a worm called "MSN Shooter" (I-WORM/MSN). SINMSN.C) in South Korea a large area erupted. "Lucky", "MSN Shooter" only for Korean version of MSN, not from the non-Korean users of the machine spread. It has virtually no impact on domestic users.

In my impression, can be called "eruption" the first domestic MSN worm is October 10, 2004 by Jiangmin intercepted "MSN Clown" (I-worm/msnfunny). It sends its own copy of Funny.exe and the address of a website to friends via MSN, and redirects more than 900 popular websites to the site. In the dissemination of the same time, for a web site advertising, brought a huge amount of traffic. Within hours of the worm's eruption, the Jiangmin Antivirus center received hundreds of reports of infection. This is also a considerable proportion of the domestic MSN users first encounter the attack of the MSN worm.

More and more MSN worms appear, forcing Microsoft security upgrades to MSN, prohibit direct transmission EXE file, hope to curb the MSN Worm momentum. But at the beginning of 2005, "MSN Sexy Chicken" and "msn Good Fast" worm outbreak, proving that Microsoft's security upgrade is completely in the form of a fake.

February 3, 2005, MSN sexy Chicken (i-worm/msn. DROPBOT.B) outbreak, the worm after running the biggest feature is that will show a spoof of the sexy chicken pictures. At the same time, the worm will release backdoor programs, infected computers are fully controlled by hackers. It not only through the spread of MSN, but also through a variety of system vulnerabilities and weak password transmission, infection ability is very strong. "MSN Good Fast" in the same year in March, can be spread through MSN and Peer-to-peer sharing software. These two worms send their own copy files, which set the filename suffix to ". pif" or ". SCR", which is also the legal suffix of the executable file, easily bypassing the MSN "Prohibit the transfer of EXE file" restrictions.

"MSN Sexy Chicken" and "MSN Fast" "Success" attracts a large number of followers. 2005 is called the "Instant messaging software worm year", should not be divided. The proportion of domestic worms spread through various instant messaging software soared, and for the first time there were worms that sent copies of themselves through QQ. At this time, through the spread of MSN technology has been skilled use of virus authors, many old Trojan, backdoor also have increased the function of the spread of MSN. For example, the famous Trojan horse "Wuhan Boys" (TROJAN/PSW. Whboy--let people think of Li June, he also left the panda incense virus inside the word "whboy"-added through MSN, QQ, UC, network bubble Propagation code.

2006 for the MSN Virus, is a placid year, the kind and quantity still many, but there is no large-scale outbreak, can let people remember their names. If you must find out some of the memories of MSN, that is, "China edge" site using a large number of MSN robots with MSN account launched the "harassment incident", there may be many domestic MSN users have encountered. First a stranger requests to be friends, once passed, will send a point to the "China edge" url, or in the Hotmail mailbox to find their MSN friends sent e-mail, the content is also promoting the site. To this end, many users have turned to the Jiangmin anti-virus center, suspected that they are infected with the virus. But the investigation found that this was not caused by the virus. Users in China edge of the Web site prompted, entered their own MSN account password, resulting in the account is used.

June 1, 2007 was intercepted by Jiangmin "sexy album" Worm is the most recent 1 years, the fastest outbreak of the MSN worm. It will send a poisonous zip compression package via MSN, and the package inside is a virus program. Poisoned computers will also connect to remote IRC servers to receive hackers ' remote control and become "zombie computers."

Because the latest version of MSN has banned the direct transfer of EXE, PIF, SCR and other types of files, "sexy album" chose to put themselves first into the ZIP compression package, and then send a Zip method. This can bypass MSN shielding, but it seems to reduce the speed of virus proliferation: users need to receive a poison zip file, extract zip file, click on the program to run inside, will be infected. However, from the day of the outbreak of the infection reported the number of reports, decompression zip file caused by the trouble is not enough to weaken the user's curiosity, the worm spread speed is no more than 2 years ago, "MSN Sexy Chicken" bad.

The above briefly recalls the MSN worms that I know. Using MSN to spread, has become a common malware technology, a wide variety of backdoor, worms, Trojans have been able to spread through MSN samples. In fact, to avoid the infection of MSN Worm, reduce the degree of harm after infection, it is not difficult to do, summed up into the following 4 points, want to share with the reader:

1, for the friend sent suspicious documents, before receiving must ask clear first;

2, be sure to install anti-virus software, timely update virus library. Files received from MSN should be scanned with antivirus software;

3, once found that their computer has automatic to friends to send information, documents and other symptoms, should immediately end the MSN program, and then update the virus library, the use of anti-virus software or kill tools to scan the system;

4, do not expose your MSN account password on the unknown website.