W32.Messmulti


Aliases: Win32/Symnet.B, W32/Smalltroj.HPSY, Win32.FakeAlert.ab, Trojan.Agent.AKOX, Win32.TrojanAgent.Ab
Variants: Symnet B, VirTool:Win32/DelfInject.gen!X, Trojan.Fakeavalert, Downloader.MisleadApp, W32.Saros@mm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 12 Mar 2007
Damage: Low

Characteristics: This particular malware has been observed by various computer security experts as capable of taking advantage of the functionality of Instant Messaging clients found in the host machine. The W32.Messmulti makes use of this Internet based communication facility to send its codes and execute its infection routine. It has been observed to use the chat feature of the Instant Messaging client to send a link of its codes to itself.

More details about W32.Messmulti

The entry of the W32.Messmulti malware into a vulnerable computer system results in the exploitation of the functionality of the Instant Messaging client installed in the compromised machine. When successfully launches, it will proceed to inspect all open windows activated by the computer user. The W32.Messmulti will take control of windows that use the gdkWindowToplevel Windows Class Name property. It uses the Windows Class Name attribute to distinguish an Instant Messaging client window from that used by other software applications. The W32.Messmulti normally has a hard coded list of Windows Class Names that it specifically searches for and once found will immediately take control of the functionalities of the Instant Messaging client that activated the chat window.

The W32.Messmulti has a list of Window titles that it avoids. Usually this malware stays away from window titles that have the Login, Signon, or Buddy List text strings. When the W32.Messmulti finds the appropriate window to take over, it types a predefined text string and emulates the pressing of the Enter key. This will result in the sending of a chat message to the recipient with a link where its codes can be silently downloaded. When the unwary recipient clicks on the link, the W32.Messmulti will be downloaded and executed into the compromised machine without the user's knowledge.