New IM Virus/Malware involving Windows Live Messenger

CptSternn

Has anyone else noticed there is a new virus or spam worm going around that is being distributed via the Windows Live Messenger?

I have got a few IMs from two friends specifically with links to:

coolestofferz.com and imageloaderz.com

These people have antivirus installed and updated and have changed their passwords, yet their accounts (while offline according to the WLM status) sends out what appears to be messages from them with links to the above sites.

The if you click the link it takes you to a page to register for an account, and of course it asks for your logon/password for Hotmail.

Anyone else seen this?

cpacheco

I'm having the same problem, one computer here sending messages via Live Messenger to all his contacts with links to imageloaderz.com

Strange that a Google Search doesn't reveal anything more, maybe it's a new virus.

I'm going to see the computer with the problem right now, it has NOD32 up to date. I'll report back as soon as I have something else.

CptSternn

The two lads who have the issue sending the same to me both use Avast and have it up to date. One is using Vista with Windows Defender and the other XP with Spybot - Search and Destroy. Both have scanned their PC's with all of those apps and have found nothing.

DasEli

Hey Guys,

I've got the same problem. I didn't check everything until now, but soon I will. I've got a Spybot and the newst AntiVir. So if everyone knows something new, pls post!

Best
DasEli

bobbycox1

Hi guys. I'm just reading your comments here and have some news for you. I "clean" pc's of all nasty stuff and found that a free program called "Malwarebytes' Anti-Malware" usually cleans all these IM virus's. Its available in a google search and just simple to use. I use AVG Free 8.5 for antivirus and Windows defender but these wont remove the IM virus. The Malwarebytes' will do the job. Try it and see. You will be surprised what rubbish it will pick up and no registration or fee in involved.

bringitdown

Malwarebytes is good alright, along with Ad-Aware and SpyBot.

From my understanding this may not be an infection on the PC, rather the offending users have innocently entered their MSN username/password in a site that then uses the credentials to login to MSN and spam users.

Simple fix is to get them to change their MSN password. As I said this may be the cause ... I have had one user fixed this way however another still spams me despite a change in password.

bringitdown

Malwarebytes is good alright, along with Ad-Aware and SpyBot.

From my understanding this may not be an infection on the PC, rather the offending users have innocently entered their MSN username/password in a site that then uses the credentials to login to MSN and spam users.

Simple fix is to get them to change their MSN password. As I said this may be the cause ... I have had one user fixed this way however another still spams me despite a change in password.

CptSternn

bringitdown -

After further investigation it turns out ye might be right, sort of. What I mean is the user(s) in question may have entered their password, which then is used to send the spam/phishing links. That being said, the user either accidentally did so after being misled on another phishing site, or, they were the victim of an IE exploit on some other site.

The bottom line is that it appears there is no virus or worm per-se. What I mean is, once a user is infected, it sends a link to a phishing or infected site via IM. If the user on the other end clicks this link, then they can also be infected - but this is not normal virus/worm activity so its not being picked up.

If the user is being infected via an IE bug then hopefully this will be remedied and patched soon, plus AV makers will find a way to address this.

For users who are duped in phishing scams, this will be a bit more difficult as this requires users to be better educated.

I did some more research and surprisingly found out lots about this and other related phishing scams which all trace back to one guy.

I started by looking up the domains which were being referenced in the links: coolestofferz.com and imageloaderz.com.

Both were registered by:

Richard Simons
Suite 102, Ground Floor
Blake Building, Corner Eyre & Hutson Streets
Belize City BELIZE, 00000 BZ
Phone: +501.2658789
Fax: +1.5555555555
cssmanagement@hushmail.me


Both were also registered via the registrar Enom, which just received a warning from ICANN due to the hig number of bogus domains and phishing domains which are being registered on their service.

http://domainnamewire.com/2008/05/27/icann-puts-enom-and-moniker-on-notice/

That being said if you Google cssmanagement@hushmail, Richard Simons, or the above address you will find link after link to other phishing sites or sites listing scams which have the same user registered.

http://www.scam.com/showthread.php?p=746902

More importantly, searching for domains with the same registered information will pull back a whole list of LOCKED domains which have been locked by the registrars because of PHISHING:

http://whois.domaintools.com/photobukkets.com

http://whois.domaintools.com/verynicethingz.com

I contacted Microsoft along with Enom and another crowd Incentaclick.com - as the malicious code being sent is sending links to other phishing sites as listed above as well as pay-per-click ad links at incentaclick.

Oddly enough, I then got an email FROM the actual person in question - here is the email in full...


From: cssmanagement@hushmail.me
To: XXX
Subject: virus? joke?

Hello.

Not the first time we are hearing from this guy "sternn"
within the last days.

Hes trying to harass on us with false arguementations everywhere.
He also contacted NameCheap - our domain registrar, ENOM , and now
he comes after you. Everywhere hes pulling the same false
informations about our work and company.


Lets get straight to the point.


Anything we do on the site and on the IM is totally legal.

All informations/actions what is happening on the site and on the
IM are disclosed in our T's & C's. Nobody is tricked! We are
clearly showing the T's and C's to every user - they also have to
read and accept them before logging in to our service/site. We are
not breaking any laws where our servers are hosted and/or our
company is incorporated.


He sais virus? Why doesnt he tell the truth - his friend - or
whoever he is getting IM's from, has used my site and therefore
accepted the site Terms - which allow me to send and promote sites
via IM's.

Foolish or not , the users themselves have to be careful what they
accept and where they are entering their data! Not only on my site -
like on every site on the net! If they want to use our MSN Pics
for friend site, then they are free to do so, isn't it?!

To unsubscribe - People can also change their MSN password anytime
and our system will delete them automaticly - This Unsubscribe info
is also stated on our site within the Terms. Even with a direct
link to the MSN password change script. Everybody can read clearly
read how to unsubscribe if they want to.


If that guy is not satisfied with our service, he should just
directly contact us to solve his problem instead of harassing on
other people.
We are having all our company informations visible on our domains -
with E-Mail and Company contacts. We are not hiding in any way -
why should we, we are not breaking our law in ANY way.


An example of our T's and C's can be read on one of our sites:


http://imglists.com


Read the T's and C's carefully, and you will see anything is
disclosed there.

Im always here in case you have more questions, just let me know!


Best regards,
Richard Simons / CSS Management Inc.


As you can see, yer man does not have a very good grasp of the English language, and claims that since he has the users password and under his 'T's and C's' (I'm assuming he means terms and conditions here), it gives him full authority to spam from their account as well as phish for other passwords. That is quite funny actually, because if you check out the terms of use for the Windows Live services (http://dev.live.com/terms/tos.aspx) it actually forbids this sort of thing a few times in a few different clauses - not to mention the fact he is basically saying that having someones password equates to having permission to steal their identity.

Then there is the fact yer man is hiding the links he is sending, another violation, not to mention this screams illegal activity here - when you send a link to one site (i.e. http://www.mysite.com) which leads to somewhere else (http://www.dodgysite.com). And of course he is using HUSHMAIL - the anonymous email service to hide his IP and location, because if he was a real business then he would have a real domain and website - not hidden email accounts and bogus names and contact info on sites he is hiding behind bogus links and other persons identities.

What amazes me is Enom have not gone through their database and deleted all registrations from this user, since he obviously has a few domains registered under the same name.

Anyway, the bottom line is the user needs to change their Hotmail/Windows Live password and then make sure they don't accidentally give it out anywhere, plus switch to Firefox.

Soul123

Very intersing comments. Im an 'infected' user.
Some days ago, I recieved an IM form a friend who had just visited me a week before. The IM consisted of 4 links (.jpg) and with a smiley at the end. Normally I never click on viruses or stuff like these, but, yes, I fell for it and thought it was a link to a kindd of platform like flickr, where she had uploaded the pics, therefore I went further on the registration. Stupid me, was very naiv, and as I do a lot of times (and believe many users do), i didnt read what i was clicking 'ok' for. It will certainly not happen again. These are the links i clicked on:
//img82993.ImageLoaderz.com/?user=noorzzzz&pic=DSC00425.jpg //img82993.ImageLoaderz.com/?user=noorzzzz&pic=DSC00845.jpg //img82993.ImageLoaderz.com/?user=noorzzzz&pic=DSC01345.jpg //img82993.ImageLoaderz.com/?user=noorzzzz&pic=DSC01425.jpg
(changed username of my friend)
Now i am sending the same stuff drom my IM, even when i am offline. I have uninstalled msn messenger, run my antivirus (Symantec) and installed again. No point in doing this... My antivirus didnt detect any strange stuff on my harddrive either. After reading this, I will certainly change my password, and see if its ok after. As said,i am a little relaxed, because it seems only a kind of phinsing, without damaging any of the components of the computer.
As read above; maybe this guy you talk about is really not doing nothing 'illegal' which i doubt, but as I havent read the terms... what i think its anyway rubbish, may not be illegal, but ethical... Using somebody elses ID to send IM, which lead to rubbish stupid 'cheap' pages, doesnt seem right to me.

CptSternn

TO FIX THE ISSUE:

Change your Hotmail/Windows Live password.


I am getting more and more of these everyday from contacts in my Windows Live messenger list.

This group sends links appearing to be from social networking sites (similar to Bebo) that appear to be from your friends, the reality is that your friend signed up on one of these social networking sites and gave out their hotmail, yahoo, or gmail password so the website could 'check for other friends in your contact list' - but what they do is steal your password and spim/spam your friends. They also send links and emails appearing to be from you telling your friends to sign up at the new site and then ask them for their email login info so they can then pretend to be them and mass spam/spim their list.

The links they send via spim are alternated between trying to get you to give them more passwords and links that are disguised which take you to pay-per-click websites - which is why they are doing this - trying to take advantage of pay-per-click web advertising.

So, don't give out your email password on any social networking sites.

Soul123

Yes, indeed, i changed my password and the problem has disappeared.

Seems this kind of 'virus' is on fashion. I get several from my friends everytime i log in in msn...