New trojan on MSN March 2010

[tweetmeme source=”stalehansen” only_single=false] March first 2010 Telenor TSOC discovered that a new worm was on the loose on Windows Live Messenger. This time it is in your native language and therefor the probability of users actually clicking on the link is much greater. The worm sends a link from one of your contacts in MSN and if you click it a trojan will be downloaded to your PC and install itself. This is a huge risk for businesses that allow users to use Windows Live Messenger in their company network. If one PC get compromised in the internal network the possibility for it infecting other PC’s is even greater. This is one of the main reasons to implement OCS 2007 R2 as the only business solution for chat. Some arguments are:

  • Encrypted internal chat solution
  • All traffic stay inside you organization
  • Can federate and chat with other organizations in a secure manner
  • Can add global rules for blocking links, file transfers and unpatched clients
  • Can add MSN contacts and be sure that messages with links is blocked server-side

In addition to secure chat OCS gives the businesses the ability to implement Unified Communications and is therefore way more than just a chat client.

About this trojan

First you get a message from one of you contacts saying, seen this?? :D  and it links to hxxp:// The trojan adapts to the language on the computer and will display the text in you native language. In norwegian it will be se på dette bildet :D with the link following. The link points to a site at Yahoo and so the links was live for a day or two. It still was a huge security risk. The trojan is written in Visual Basic and executes a C++ program. It installed itself as c:\windows\winmbu.exe and granted itself access through the local firewall. The program gave the owner of the trojan access to

  • Communication with C&C over the IRC protocol
  • Sending of messages over MSN and Yahoo messenger
  • Download and run files on the infected computer

At release date only 13 of 41 antivirus products detected this file. So even with an updated antivirus on the local computer 69% of the antivirus solutions would not have detected it.

Link to official article in norwegian:
Link to the antivirus protection overview:

How Windows Live Messenger works

Any Post starting with this disclaimer means that this post was not written by me however I liked it and added to my blog. I will also include the link to the original or similar post to provide credit to the original author

Read the entire post here:

How does Windows Live Messenger works? there are millions of users typing messages everyday but maybe few of them ever asked themselves how the messenger really works! so here I wrote a little post about it. Windows Live Messenger it’s an hybrid Client-Server / Peer-to-Peer application. It basically started as a client-server application. Let’s say that the client A wants to contact the client B. The client A logs in a CS (Connection Server) through a persistent TCP connection (eventually using proxy,gateway..). Behind the CS there are the PS (Presence Server). Each person get always the same particular PS, which is where your personal status message, description of your user photo and similar things are stored.


Another element of the architecture is the Address Book. The client A gets directly from the Address Book his list of contacts. Then the client A tells to his CS who his friends are, the CS subscribes to his friend’s PS to get the presence information that are sent up through the client server connection. If the client A change his status to OffLine for example, the change goes up to the CS of A, then to the PS of A, then down to the CS of B through the subscription and then down to the client B.


If the client A wants to chat, tells to his CS that wants to contact somebody, and the CS tells A to contact a Mixer, which sends IM traffic to a destination, for example to B (passing through the CS of B). Then A and B and talk back and forth through the Mixer.


You can watch also an original video where some of the developers and visionaries behind Windows Live Messenger explain how it works.