I am just working as usual when I got the following message on my MSN Messenger:
This is how real girls party. Great high quality pictures onNow of course i understood that it's a worm, but still, lets see where it leads to.
So I went into the site and it looked like this:
With what i have seen until now, this is a classic phising site, I saw dozens
like it for Yahoo! in the past. But wait! lets look at that GREY text blow:
OK, they said in the text:
By filling out this form, you authorize T P Ltd to spread the word about this new 100% real and upcoming Messenger Community Site. You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.
We do not share your private information with any third parties. By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a "phishing" site that attempts to "trick" you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.
ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.
We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.
This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.
If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.
They just want to:
1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.Which is completely different with what a worm does. A worm just spreads and "introduces", "entertaining" sites with a lot of porn and exploits.
By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us.Yeah why not, take my account and send spam "on behalf of third parties" and if they get like hacked or something, we are not responsible, you agreed to this.
ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED
I believe this should be called "Legal Phishing User Agreement" or "Worm As A Service".
It is also a little wiered that a "legal" domain called "partypicturez.info" is dealing with MSN accounts and not PICTURES FROM PARTIES and has unlimited(*.) subdomains and only 1 page, don't you think?!
Ofcourse they used the domain protection:
Registrant Email:email@example.comWell, don't fill any form you see without reading the small (and in this case GREY) prints :)
Admin Name:WhoisGuard Protected
The same worm also sends this message:
"[msn_dst_user], claim your Prize!
merry XMAS heres your gift
[msn_dst_user], claim your Xmas Card!
[msn_dst_user], see the pics from yesterday's christmas party what do u think?The messages are updated by the hour, these ones are specific for xmas.
Any file or subdomain in win-win-it.com redirects to http://www.desktopsmiley.com/go.do?a=814
Which is also registered by WHOISGuard.
Both these websites were built to make people download this:
Which they claim is:
"Download DesktopSmiley to get 1000's of FREE Smileys!
It's totally FREE! No Registration. No Spyware."
Yes, a toolbar advertised by a WORM is not spyware, sure...
The example above was version 2.0c. It seems these guys used different methods and different domains and different company names in the older versions (which is typical to viruses and spyware but not to legitimate software).
The following example belongs to an older version 1.1c whi MSN message:
foto http://hi5.eu.com/id.php?=[dst_user_email]Which prompts a download for "IMG455.jpg-www.photo.com" which is an EXE file with a COM extension and where ran "True Type Detection" will be made by windows loader and it will execute as the regular EXE file it is.
Those people don't care a bit and they left "Directory Browsing" open in the subdomain's root, check it out at: http://hi5.eu.com/
They even forgot to remove their private packer from the site: http://hi5.eu.com/pa-packer.rar
They also have a version at: http://new.upicx.com/ (which i think just went down...)
Which loads " http://new.upicx.com/indexx.php" and " http://new.upicx.com/pop.php" and VERIFYS the request's REFERER is " http://new.upicx.com/" so direct reference to these files returns "404 Not Found".