The MSN “Not A Phishing Worm”

This is a funny one actually :)
I am just working as usual when I got the following message on my MSN Messenger:

This is how real girls party. Great high quality pictures on

http://jusmineza.PartyPicturez.info

Now of course i understood that it’s a worm, but still, lets see where it leads to.
So I went into the site and it looked like this:

With what i have seen until now, this is a classic phising site, I saw dozens
like it for Yahoo! in the past. But wait! lets look at that GREY text blow:

Terms of Use / Privacy Policy:

By filling out this form, you authorize T P Ltd to spread the word about this new 100% real and upcoming Messenger Community Site. You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties. By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

This is a free service. You will not be asked to pay at any time. You will not be subscribed to anything asking for payment. This service is made possible by many hours of human effort.

T P Ltd reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, T P Ltd is NOT agreeing to MSN’s terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 T P Ltd

OK, they said in the text:

This is not a “phishing” site that attempts to “trick” you into revealing personal information.

So they don’t want our usernames and password, which is also the EMAIL of most people, yeah I believe them, sure.

They just want to:

1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

Which is completely different with what a worm does. A worm just spreads and “introduces”, “entertaining” sites with a lot of porn and exploits.

By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us.
…..
ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED

Yeah why not, take my account and send spam “on behalf of third parties” and if they get like hacked or something, we are not responsible, you agreed to this.

I believe this should be called “Legal Phishing User Agreement” or “Worm As A Service”.
It is also a little wiered that a “legal” domain called “partypicturez.info” is dealing with MSN accounts and not PICTURES FROM PARTIES and has unlimited(*.) subdomains and only 1 page, don’t you think?!
Ofcourse they used the domain protection:

Registrant Email:9648af2d68114548bfc703cca6806a46.protect@whoisguard.com
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard

Well, don’t fill any form you see without reading the small (and in this case GREY) prints :)

Update:
The same worm also sends this message:

“[msn_dst_user], claim your Prize!
http://
[msn_src_user].win-win-it.com/winner.php”

Any file or subdomain in win-win-it.com redirects to http://www.desktopsmiley.com/go.do?a=814

Which is also registered by WHOISGuard.
Both these websites were built to make people download this:

http://www.desktopsmiley.com/toolbar/desktopsmiley/download/stb_installer.exe

Which they claim is:

“Download DesktopSmiley to get 1000′s of FREE Smileys!
It’s totally FREE! No Registration. No Spyware.”

Yes, a toolbar advertised by a WORM is not spyware, sure…
The example above was version 2.0c. It seems these guys used different methods and different domains and different company names in the older versions (which is typical to viruses and spyware but not to legitimate software).
The following example belongs to an older version 1.1c whi MSN message:

foto http://hi5.eu.com/id.php?=[dst_user_email]

Which prompts a download for “IMG455.jpg-www.photo.com” which is an EXE file with a COM extension and where ran “True Type Detection” will be made by windows loader and it will execute as the regular EXE file it is.
Those people don’t care a bit and they left “Directory Browsing” open in the subdomain’s root, check it out at: http://hi5.eu.com/
They even forgot to remove their private packer from the site: http://hi5.eu.com/pa-packer.rar

They also have a version at: http://new.upicx.com/ (which i think just went down…)
Which loads ” http://new.upicx.com/indexx.php” and ” http://new.upicx.com/pop.php” and VERIFYS the request’s REFERER is ” http://new.upicx.com/” so direct reference to these files returns “404 Not Found”.

Share
  • http://www.BeyondSecurity.com Aviram

    What next? A worm that pops up an EULA that says “this program may trash your computer and/or make it a part of a botnet to be remotely controlled to send spam”? :)

  • Richard

    I have two friends that are infected with this thing. How can we get rid of it? (And no, I did not fall for it).

  • Anonymous

    This is old news, there are a lot of this kind of webpages like www whoadmitsyou com www quienteadmite ms running by script kiddies that also launch DDOS to people that talk about their “Consented Phishing”.

  • NKarim

    Hi,

    I had accidently signed there and now they acess my account and send instant messages to my contacts and i am getting a lot of complaints about it. Could you suggest how to stop them doing this and prevent access them my account.

  • http://msn Georgina

    I also fell for it and not it is automatically sending instant messages to al my contacts. i then deleted msn and re-installed it but same thing stil happening. I now changed password. How do i stop it. I took pc to get fixed and it people said i don’t have any virus. Help plz!!

  • kirjava

    if your msn sends spams change your password.it’s not a virus installed in the pc for sure because some friends have a full antivirus program but also have a simillar problem

  • Crystal Plante

    I am having the same problem as everyone else. I dont want to be apart of this and tired of it sending unwanted messages to my friends. Please can u tell me how to stop it.