Recent MSN Messenger Worm Variant – Worm:Win32/Pushbot.BE
Here’s a mantra everyone, especially every tester, should learn and repeat regularly….
ALL TRUST IS MISPLACED
Users are warned constantly to never open files from someone they don’t know but they really need to be even more pessimistic than that. A lot more pessimistic. Just because something comes from the account of someone you know or recognize does not mean it’s actually from that person or that they know it’s being sent.
Chuck and I became aware of this variant when he received an instant message from a former co-worker he’d not talked to in many months. The text of the message said “Is this YOU?” and it contained a link that, at first glance, appeared like it might be an image of some sort due to a ViewImage word in the link. When he clicked on it, it wanted to either run or save an MS-DOS application. Needless to say, he didn’t allow it to do either.
Instead we passed the information on to an antivirus group.
Sure enough, it was a new variant of Win32/Pushbot called Win32/Pushbot.BE – at least that’s what one vendor calls it. Naming of viruses and variants, especially if they are not a single type only tends to be more than a little inconsistent across vendors.
Now if Chuck had been a little less suspicious, he’d have likely fallen for that bit of social engineering. It played on people’s desire to see whether someone who knows them found a picture of them and what that picture might be. Because it’s someone they at least know well enough to add to their messenger list. It goes back to a mix of trust and human curiousity.
If he’d allowed the file to run, it would have spread by sending itself to all the members of his friends list as well.
In case you DID fall victim to this worm, you can see how to remove it on Microsoft’s Malware Protection Center entry.
December 6th, 2009 at 6:44 pm
Do you have any more info on this?