'SMB Worm' Spreading Through MSN Messenger

09-28-2003 12:48:50 AM CST -- from various anti-virus alert services

A worm that uses Microsoft MSN messenger program as a medium has been found in Korea and is spreading fast, anti-virus firms warned yesterday. Named Smess, the worm is a mutant of the Sinmsn worm discovered at the end of July, Ahnlab, the largest anti-virus firm in Korea, said yesterday. When a computer is infected, the worm sends a file named SMB.EXE, about 164,000 bytes in size, to all of the registered buddies of the user. Although the virus does not directly damage the infected computer, it can drive up network traffic dramatically and slow down online activities. To prevent the infection, Ahnlab advised that users of MSN reject any message alerting them that a buddy has sent them a file with that name. ?We received more than 100 reports of infection during the morning. The situation is similar to that of last month, when the SoBig worm infected tens of thousands of personal computers,? a manager at Ahnlab said. ?We estimate that about 10,000 personal computes may have been infected with the virus because there are many MSN users in Korea.?

The new worm, comes through MSN Messenger as an SMB.EXE file attachment. Once the user accepts this file, the worm will send the SMB.EXE file to all contacts in MSN messenger contact list. If the user actually executes this file, a dos prompt will come up for about a second and then disappear. Global Hauri's CEO, Mr. Eric Kwon says, "After infection this virus tries to connect to some porno site and cause network traffic. To the user, it appears to be difficult to log in MSN Messenger. We are currently analyzing this worm for more details. However, when you get a message from MSN messenger 'Sending SMB.EXE file,' do not accept this file."

The worm unzips these files: Under C:\ drive - smb.exe, admagic.exe and test.txt and Under Windows directory - atl.dll, raw32x.dll, sm.dll and uz.exe, and Under Registry: KEY_LOCAL_MACHINE\SOFTWARE\Micorosoft\Windows\CurrentVersion\Run it will register svchost = admagic.exe.

How to repair manually

a) Go to task manager. (Ctrl+alt+del)
Select "process tab"
c) Click 'admagic.exe' then click End Process
d) Go to C drive and delete 'smb.exe' and 'admagic.exe'
e) Go to Windows directory and delete 'atl.dll,'
'raw32x.dll,' 'sm.dll' and 'uz.exe'
f) Go to registry (Start - > Run - > type "regedit"
click ok then go to
HKEY_LOCAL_MACHINE\SOFTWARE\Micorosoft\Windows\CurrentVersion\Run
and delete svchost = admagic.exe string value.

take care

A nice read

I'd like to have a go at writing something that spreads through msn.
I don't think i'm able though. Anyhow, it'll be fun to read up on, savouring the possibilities.

Of course, there is the danger, that whatever I write might escape into "the outside world", which I really wouldn't want to happen. Especially considering how recently that guy in The States got locked up for his Blaster mutation. The world doesn't like hackers - And it's a dangerous game when writing viruses...

Need a nice read on the know hows of writing a worm

Thanks Comsec.. Nice info. Will tell my folks to take care...

Manu