Chris Mosby at myITforum.com

Yo Momma!

It’s the universal come back. No matter what insult is thrown your way, you can always escape just by saying “your momma” *. So I had to laugh when we received a variant of an MSN worm that entices would be victims with “lol, your mom just sent me this picture?” Even funnier was the fact that the bot operator infected himself with his own worm.

This variant of the worm has been named W32.Scrimge.E. The worm isn’t restricted to just the one question, either, offering up any one of these goodies:

- Did you take this picture?
- Is that you on the left?
- How drunk was I in this picture?
- Is that your mom in this picture?
- lol, your mom just sent me this picture?

It was “your mom,” however, that caught our attention, as the worm seems to be getting a bit more refined from previous incarnations when the phrases were not quite as catchy, unless of course you like cute puppies:

- * look @ my cute new puppy :-D
- * look @ this picture of me, when I was a kid
- * I just took this picture with my webcam, like it?
- * check it, i shaved my head
- * have u seen my new hair?
- * what the ____, did you see this?
- * hey man, did you take this picture?

The way the worm works is to send one of its messages at random to the infected user’s online MSN contacts. The message is then followed by a prompt to receive the file img807.zip:

The zip file contains a file named “img807.jpg-www.photoalbums.com”, which is obviously not an image file, but is instead an executable. The executable file extension .com is used instead of the more readily recognizable .exe extension in an attempt to fool users into thinking that the file is innocuous.

Along with the fact that the filename takes the form of a URL, this confusion tactic (between .com for URLs and .com for executables) will probably work in a large number of cases.
This new file name is also an improvement on previous variants of the worm. W32.Scrimge.A for example used a .scr extension instead to confuse users (although not significant to this discussion, W32.Scrimge.A used the filename img1756.zip, instead of img807.zip):

Of course the worm is capable of more actions than solely spreading itself over MSN; it connects to an IRC server, “vpn.basecore.info,” and waits to receive commands, which can include:

- Starting / stopping spreading via MSN
- Launching denial of service attacks
- Removing itself completely from the infected computer
- Removing itself until the next reboot
- Removing itself for 24 hours
- Updating itself
- Downloading new executables
- Starting/stopping programs on the infected machine

The worm also sends information to the control server about what actions the worm took, here are some sample messages:

- MSN spread has been activated.
- Attempting to run MSN spread
- MSN spread has been deactivated.
- MSN worm sent to: xx contacts
- Status:. Box Uptime: xx, Bot Uptime: xx, Connected for: xx.
- !!!Security!!!. Lamer detected. coming back in 24hrs, download and update
- !!!Security!!!. Lamer detected. coming back next reboot, cya.
- Download
- Update

During testing of the worm, a connection to the control server was established. After waiting for some time in the control channel, two bot operators logged in and started chatting to each other about their bot networks. The conversation was quite funny as one operator was complaining because his worm (w32.Scrimge.E) contained a programming error that forced the infected machines to disconnect from the IRC control channel. It’s also humorous that these two operators don’t seem to quite know what’s going on; plus, I love the sentence “imma test a boat”). Here is part of their conversation:

Click image for larger version

The conversation got even funnier when one operator confessed to the other that he had in fact infected himself with his own worm and was having difficulty stopping it.

The two operators had been talking in MSN Messenger themselves, and one then pastes some MSN text into the IRC channel exposing their MSN nicknames:

* Logging for ##L## started
[x2] that this new bot Cybix ?
[Cybix] no
[Cybix] i duno what bot this is
[Cybix] rofl
[x2] lol
* Cybix sets mode: -M
[Cybix] wait for it
[Cybix] lol
[x2] lol
[x2] okay
[x2] :D
[x2] //mode $me -s
[Cybix] .msn
[x2] lol
[x2] no login ?
[x2] now
[x2] lol
[Cybix] no
[x2] nice
[x2] xD
[Cybix] LOL, you look so ugly in this picture, no joke...
[Cybix] rofl
[Cybix] wtf
[x2] ?
[x2] you are infected ?
[x2] xD
[x2] lol
[Cybix] yea
[Cybix] i infected myself
[x2] :/
[x2] lol
[Cybix] its still going
[Cybix] wtf
[x2] nice spread Cybix
[x2] lol
[Cybix] .remove
[x2] photo234.zip
[x2] xD
[x2] lol
[x2] really nice
[Cybix] you got it?
[x2] Marcus Says envoie :
[x2] Accepter(Alt.+C) Enregistrer sous...(Alt.+S) Refuser(Alt.+D)
[x2] KOR0SiF dit :
[x2] lol
[Cybix] did i say anything
[Cybix] or just send the file
[Cybix] .login version
[Cybix] .remove
[x2] just send files

So Cybix = Marcus and x2 = K0r0SiF, plus x2 is probably French-speaking since he or she is using a French version of MSN :

[Cybix] you got it?
[x2] Marcus Says envoie :
[x2] Accepter(Alt.+C) Enregistrer sous...(Alt.+S) Refuser(Alt.+D)
[x2] KOR0SiF dit :
[x2] lol

The infected machines are controlled by changing the topic of the IRC channel; for example, in the following screenshot the topic has been changed to “.msnstart”, instructing all infected machines that are connected to the channel to start sending themselves to their infected user’s contacts:

We monitored the channel further and saw both Cybix and x2 release a new variant each (we detected these as W32.Scrimge.G and W32.Scrimge.Gen). This was an attempt to fix the problem whereby the worm crashes after connecting to the IRC channel.

So, to Cybix and X2, I can’t resist saying thanks for entertaining us here and, also, “Yo Momma’s so ... [insert joke here]”

Further technical details about this worm can be found in the write-ups for W32.Scrimge.A and W32.Scrimge.E.

Posted by Liam OMurchu on August 20, 2007 05:00 AM

Source: Symantec Security Response Weblog: Yo Momma!