Com-Central.net

Virus Poses as Leaked MSN Messenger Beta
By Paul F. Roberts
December 27, 2005

Internet users are being warned about a new virus that poses as a leaked pre-release version of the MSN Messenger instant messenger program.

Unsuspecting Windows users who install the phony MSN Messenger Version 8 "beta" actually install an IM worm that spreads to their IM contacts, and connects their computer to a remote control "bot" network run by malicious hackers, according to F-Secure Corp., an antivirus firm based in Helsinki.

A Web site, msgr8beta.com, purports to have the leaked version of MSN Messenger. The site touts the advantages of the MSN Messenger 8, including "real-time emoticons," and "built-in functionality with Windows Media Player 10." Microsoft has not yet released a beta for MSN 8 to the public, although versions of the software are rumored to have been released to select customers.

However, the download offered from the Web site doesn't contain any MSN Messenger code, said Mikko Hyppönen, manager of antivirus research at F-Secure. Instead, clicking on the Web site download links installs a virus that F-Secure calls "Virkel.F," and causes your MSN Messenger client to send download links for the malicious Web site to the person's IM contacts. Behind the scene, Virkel.F connects infected machines to a remote "botnet" server that can be used to issue commands or transfer malicious programs to the infected host, he said.

F-Secure researchers learned of the new virus Tuesday after customers reported receiving suspicious IM messages with links to the Web page Hyppönen said.

Virkel is a new twist on an older family of IM viruses named "Kelvir." The source code for Kelvir was released on the Internet and has spawned many variants. The new Virkel family adds remote control "botnet" capability to the IM worm feature, Hyppönen said.

F-Secure reported the new worm to Microsoft. It is not clear why the attackers set up the site at all. However, the domain could be promoted through spam and news group postings, Hyppönen said.

The msgrbeta8.com Web site was registered on Dec. 24 to a "Mark Nicholas," of Richmond, U.K. E-mail messages sent to the administrative address at msgr8beta.com were returned, and Nicholas could not be reached at home or via cell phone for comment on Tuesday. It was unclear whether Nicholas was actually the individual who registered the Web site, or whether another individual used his contact information when setting up the Web domain.


The malicious Web site calls attention to a persistent problem that fosters online attacks and the spread of malicious code: loose monitoring of Web domain registration.

Based on test results, the U.S. Government Accountability Office estimates that 1.64 million (3.65 percent) of Web domains have been registered with incomplete data in one or more of the required fields, and 2.31 million domain names (5.14 percent) have been registered with patently false data.

Individuals and organizations use the lax domain registration process to hide their identities and prevent members of the public from contacting them, GAO said.

Better enforcement of domain registrations would help curb online fraud, spam and intellectual property theft, GAO said.