A fake update claiming to be from MSN Messenger contains a malicious Trojan.


Identified by the Websense Security Labs ThreatSeeker Network, the spam message is intended to lure users into downloading the Trojan. The claims that by downloading the application linked within the email, users can protect themselves against a virus that spams messages to a user's contacts.


The email offers an update to Live Messenger Plus which upon accessing downloads the Trojan (md5: 5F1D2521F6949F8B71B9FF93C17A8BE2), which Websense claims has a low antivirus detection rate.

The URLs provided in the email redirect the user to a two-stage downloader named dsc.scr. As a distraction for the user, a dialog box is displayed explaining that the user will be redirected to msn.com.br, a browser then opens pointing to this site.


The downloader first contacts hxxp://*snip*ario.com/games_06.jpg, and then hxxp://*snip*ario.com/games_04.jpg, adding the two files to the root of C:

A scheduled task is then created, and modifications are made to autoexec.bat to disable GBPlugin and other tools promoted by Brazilian banks to protect against such keyloggers and other malware.


The malware then goes on to conduct information-stealing activities.