msnmsg.exe?

[Theo]

Hi, got something new today. Something called msnmsg.exe in the
winnt/system32 folder. Not to be confused with msn messenger (msnmsgr.exe).
Anyone seen this before? The usual scans dont pick it up, or the registry
entry that runs it at startup (as a service on w2k). It constantly tries to
make an internet connection on port 6667.

Cheers.

 

[Herbert West]

Hi, got something new today. Something called msnmsg.exe in the
winnt/system32 folder. Not to be confused with msn messenger (msnmsgr.exe).
Anyone seen this before? The usual scans dont pick it up, or the registry
entry that runs it at startup (as a service on w2k). It constantly tries to
make an internet connection on port 6667.

Cheers.

A backoor trojan or Worm, most likely. Google turns up this tidbit of
intel on the file:

http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.BV&VSect=T

That its repeatedly attempting to use IRC port 6667 pretty much
confirms the above.

 

[Theo]

A backoor trojan or Worm, most likely. Google turns up this tidbit of
intel on the file:

http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?
VName=WORM_SPYBOT.BV&VSect=T

That its repeatedly attempting to use IRC port 6667 pretty much
confirms the above.

Yea I think I saw that. Familiar but the registry keys werent changed
except for the run one. I caught it pretty quick. The first time it tried
to access I thought it was part of windows update (which was also running
at the time) so I let it go a couple times. But it kept doing it and I got
suspicious. Then TFTP tried to run.

Anyways nothing identified it as a trojan. Perhaps its new. I sent it to
symantec so they could see if it is.

 

[Theo]

Anyways nothing identified it as a trojan. Perhaps its new. I sent it to
symantec so they could see if it is.

They said it was W32.Spybot.Worm but from how I interpret their email, NAV
doesnt detect this one (already knew that), and will be included in the
next def update or their rapid release defs... wahtever those are.

At least I know I wasnt being alarmist ;o)

 

[Wattsville Blues]

They said it was W32.Spybot.Worm but from how I interpret their email, NAV
doesnt detect this one (already knew that), and will be included in the
next def update or their rapid release defs... wahtever those are.

At least I know I wasnt being alarmist ;o)

Rapid release definitions are virus defs released every day from the
website, under the heading Intelligent Updater. You download an 8Mb
(approx) executable file, containing all virus defs up to the exact day, run
it, and it installs for you. If you've broadband, you might wanna consider
doing this every day. Live Update doesn't update often enough for my
liking.

http://securityresponse.symantec.com/avcenter/defs.download.html

Enjoy.

 

[Theo]

"Wattsville Blues" <REMOVE THIS (e-mail address removed) REMOVE
THIS> wrote in

Rapid release definitions are virus defs released every day from the
website, under the heading Intelligent Updater. You download an 8Mb
(approx) executable file, containing all virus defs up to the exact
day, run it, and it installs for you. If you've broadband, you might
wanna consider doing this every day. Live Update doesn't update often
enough for my liking.

http://securityresponse.symantec.com/avcenter/defs.download.html

Enjoy.

ah ok those. Ive only used them when liveupdate didnt work for some
reason... or I needed to update a computer that I didnt want to expose to
the net.

thanks

 

[nota chance]

A backoor trojan or Worm, most likely. Google turns up this tidbit of
intel on the file:

http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.BV&VSect=T

That its repeatedly attempting to use IRC port 6667 pretty much
confirms the above.

I personal would search in xp search and wast it don't open it dear god
what ever you do