Solved

MSN messenger - messages from unknown contacts

Posted on 2006-06-27
14
2,550 Views
Last Modified: 2006-11-18
about a month ago, we had a virus spread through MSN messenger.  a user would get a message from a known contact (a buddy on their list) that had a link.  when they clicked on the link, it downloaded the virus, scanned their buddy list, and spread itself to everyone on the list.  we stopped the virus before it spread very far ... and cleaned up the infected computers.  we have been fine for the past month.

this morning, many of the users got an IM from an *unknown* person (not a person on their buddy list).  many of the messages were in chinese, although i am getting reports of messages in english, too.  These messages have a link included.  so far, my users are reporting that they did not click on the link.  one person did add the contact to their buddy list, but says he did not click on the link.

I am running a virus scan.  last time this happened, symantec corporate AV did not detect the infection.  i submitted infected files to symantec and they wrote definitions for that virus which were included in a liveupdate.

since everyone here claims they did not click on the IM, i am wondering if this is just a random MSN thing ... or if i should continue to suspect that we have at least one infected computer ???
0
Comment
Question by:zephyr_hex
  • 5
  • 3
  • 2
  • +3
14 Comments
 
LVL 97

Expert Comment

by:war1
ID: 16994009
Greetings, zephyr_hex !

Since you scan your computer regularly virus, It is probably a random MSN thing.  But it is better to be vigilant.  Run your computers with an online scan once in awhile
Check for virus and adware

Housecall Online Scan
http://housecall.antivirus.com
or
Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
or
Kaspersky Virus Scan
http://www.kaspersky.com/virusscanner

Best wishes!
0
 
LVL 4

Accepted Solution

by:
Shaun84 earned 125 total points
ID: 16994045
It may just be a virus trying to get spread and someone who has 1 on your users in there buddys list has been infected thus the virus tried to get onto your user.
EG Steve got the virus on his machine and has Dave(your user) on his buddy list steves machine generated this message to Dave.

I suspect that no user has a virus but i would check acouple of them with housecall.  http://housecall.trendmicro.com/
Some viruses corrupt the AV on a machine so they dont get picked up, housecall is web based so it should pick up any viruses on you PC

hope this helps
0
 
LVL 1

Expert Comment

by:Zabulon777
ID: 16994048
Either switch to secure GAIM with proper setup and continue to activily scan your machines keeping them up to date on the definitions.   Thats about all you can do.
0
 
LVL 42

Author Comment

by:zephyr_hex
ID: 16994177
thanks for the quick responses...
a couple of questions for Zabulon777 - how is GAIM different than Trillian?  i use trillian, and it did not block the virus last month.  also, how would GAIM prevent the spread of these random IMs?

what makes me wonder if this is a virus is that i personally have not received a strange msn message this morning.  there is one other person here who has not either.  both of us happen to *not* have another employee in particular on our buddy list.  to me, that says it's possible that other employee has some form of malware on his computer....  it read his buddy list and IM'd itself to the contacts... but did not IM me or the other person because we weren't on his list.  this person says they did not click on the link in the IM, but did add the person to his contact list.  i cant see how the act of adding a contact to the buddy list could install a virus ... link-clicking is the only method of getting a messenger virus that i'm aware of...
0
 
LVL 1

Expert Comment

by:Zabulon777
ID: 16994224
Does Gaim support secure instant messaging (encrypted IMs)?
Short answer: Yes, use the SILC protocol.
Long Answer (for other protocols): Not natively. Doing secure instant messaging right is a big deal and requires, among other things, an authentication scheme. Simply encrypting your data stream without verifying the party with whom you are chatting is not secure in any way; some other clients offer options like this, but we feel that such measures instill a false sense of security that is more harmful than helpful.
There are a number of 3rd party plugin developers working on developing a secure IM framework, the better ones using the GnuPG and the OpenPGP trust model for authentication. If you are serious about secure instant messaging, read the documentation on the "web of trust" model available at www.gnupg.org and try out one of these.

check out more here: http://gaim.sourceforge.net/
If setup properly you can rest a little easier on the messaging standpoint.  It takes a bit of tweaking but I have been able to create a encryped IM enviroment!

Best of luck!
0
 
LVL 42

Author Comment

by:zephyr_hex
ID: 16994329
is this random messenging thing common in MSN?  i mean ... can it happen without someone on the network having a virus?
0
 
LVL 1

Assisted Solution

by:Zabulon777
Zabulon777 earned 125 total points
ID: 16994394
I have seen it randomly as well.. it is usually a virus written specifically for MSN.  So yes it can happen without someone having a network having a virus.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 97

Assisted Solution

by:war1
war1 earned 125 total points
ID: 16994503
>> is this random messenging thing common in MSN?  i mean ... can it happen without someone on the network having a virus? >>

I have seen this type of message on MSN, AIM and YIM, the popular instant messengers.  There is always someone trying to infect your computer with a link.
0
 
LVL 10

Assisted Solution

by:ISoul
ISoul earned 125 total points
ID: 16995426
I think you can rest easy. Getting these random messages from random MSN people is not indicative that you have an infected computer within your network.

I've gotten these random messages on my home PC as well, and I can guarantee it's not infected with anything.
0
 
LVL 42

Author Comment

by:zephyr_hex
ID: 16996985
i checked the router/firewall logs at the site where i suspect the problem started.  There are lots of packets getting dropped...  now, i haven't checked their log in the past week or two, but the last time i did check, it was not like this.

example from log:
http://img285.imageshack.us/img285/8462/log2bl.jpg

this site LAN is only subnet 192.168.1.xx  .  we don't have a 192.168.2.xx and yet that IP is showing up in the log
also, i don't recognize many of the WAN IPs in the log  ( i have marked out the WAN IPs I do recognize)

is this an indication that we have malware or a virus?  or is it just a sign of some other kind of network issue?
0
 
LVL 42

Author Comment

by:zephyr_hex
ID: 16997010
other notes:  i have run scans with symantec corporate AV (which is not damaged ... scans ran normally) and spybot (both with the latest defs).  moreover, i have had several of the users check their hosts file, and it is ok.  no one has reported any kind of problems on their computers, other than the weird MSN messages that occurred this morning (since then, i have had everyone sign out of MSN).
0
 
LVL 1

Expert Comment

by:Debugyeh
ID: 17014223
this is not as complicated as your all making out

go to a command prompt

type net stop messenger

problem solved

0
 
LVL 42

Author Comment

by:zephyr_hex
ID: 17031698
does "net stop messenger" only stop the windows messenger service?  that is already disabled, by default, with service pack 2.  it is quite different from msn messenger.
0
 
LVL 1

Expert Comment

by:Debugyeh
ID: 17033573
opologies, miss read but i think ur problems bots, randomly messaging adverts
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Today companies are subjected to more-and-more data, and it won't stop any time soon.  But there are obvious opportunities for reducing data, particularly data duplicated among companies.
In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
The viewer will learn how to create multiple layers to apply various filters and how to delete areas from each layer’s filter.
Viewers will learn how to use the Hootsuite Dashboard.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now