Hi all,

I connected to the 'Net a couple of times recently and forgot to enable my personal firewall and got a popup from some kind of scam advertising for of all things a popup filter! Using TaskManager I found that the nag box was running under a thread of the Client Server Runtime Process (process csrss.exe/csrsrv.dll). I also found that Win2K's Event Viewer logged these 2 internet popups as Application Popup events, the same kind of event recorded when you get a regular application error popup. The nag process ran under the name of Messenger Service.

I was wondering if anyone has looked into how these popups actually manifest themselves? Are they initiated from standard Javascript that accesses CSRSS in some way to popup the stupid message, or is this a different kind of penetration?

I'm not sure of *where* I got this from both times, I had several sites open at the time and it just 'appeared' while quietly browsing. Would this kind of thing come from a site directly, say in a linked advertising banner running a spamware script, or whether this is some other kind of internet attack bot combing the net for open ports or something to spew its message?

I haven't found much in the way of info on Csrss.exe or the function it imports from csrsrv.dll, CsrServerInitialization, but the code does look like it might be used to generate a popup nagbox (posing as an application error message), there is an interesting set of (mostly undocumented) ntdll functions it uses, including NtSetInformationProcess and NtRaiseHardError in the exe, and NtSetDefaultHardErrorPort in the dll.

I suppose a clue would lay in how a popup filter works and see what it hooks to prevent the popups in the first place, but I have no experience with that. Any thoughts?

Cheers,
Kayaker



Here is the Event log in case anyone else has been attacked.

----------------------
Application popup: Messenger Service : Message from Admin to You on 8/20/2003

~-~-~-~-~-~~-~-~-~- How To Disable These Popups -~-~-~-~-~-~~-~-

A new wave in Internet advertising is coming. Its called the Messenger
service and its built directly into your Windows operating system.
It is only a matter of time before the email spammers that fill your inbox
learn about this and flood you with porn and pyramid scam popups that
monopolize your screen. Fix this today!

VISIT : www.MessageStop.net
-------------------------


...The message in the earlier popup was a little different, heh, maybe I should buy into this complete crap and go to the site?

-------------------------
Application popup: Messenger Service : Message from ALERT to You on 7/25/2003

* * * * * * * MAKE THIS YOUR LAST POP-UP EVER! * * * * * * *

Destroy these pop-ups for a fraction of the price of our competitors!!!

Go to: www.MessageDestroyer.net
-------------------------

NOthing too complicated here - just a pop up randomly sent to your I.P. using the "net send" command, which talks to the 2K /XP Messenger Service.

Also, there's special version of "net send" which allow you to fake the source name. Easy to get...

Just turn off the Messenger Service in Services, you don't need it anyway...

-nt20

Aha thanks, I only recently switched to 2K and am still figuring things out. I see what this Messenger service is now, even MS itself mentions this form of spam, though interestingly they DON'T mention disabling the service because "Instant messages should not be blocked", so want you to rely on a firewall instead.

Good to know about this, that net send command makes it too easy to for anyone to access a service on your machine -
net send {Name | * | /domain[:Name] | /users} message
You can send a message only to a name that is active on the network. If you send the message to a user name, that user must be logged on and running the Messenger service to receive the message.

K.

M$ really doesn't want you to disable the Messenger Service, even tho you try to delete it. So instead try this, you can uninstall Windows Messenger by opening the sysoc.inf file in the \windows\inf folder and finding the line

msmsgs=msgrocm.dll,0cEntry,msmsgs.inf,hide,7

Delete the word 'hide' from the line, then save the file. An option to remove Windows Messenger will then be available in the Control Panel Add/Remove Windows Components applet. This works on XP and should work on 2K.

I got rid of it by terminating messenger (via task manager) and then deleting it's directory. Luckily, Messenger isn't part of windows file protection, unlike Microsoft Outlook, which is only other part I'd like to delete permanently.

The messenger service can even let people know who is the currently logged on user on a w2k/XP/.NET machine ... this way only the password needs to be found ....
If I recall well it's because when you have the service running and you logon on a network your machine tries to register a few services with the local wins server ...

I scratch my desktop often and I'm always impressed when I access the internet with a fresh machine having forgotten to put in manual or disable the service ... I get that popup in a matter of a few seconds ... I wonder what makes these people do these things ... exactly as when I get garbage spam mail ... why??? I mean if you want to sell me something I may even understand your intent ... but garbage mail goes beyond my capacity of understanding.

Anyway there is a tool on MS site called "Microsoft Baseline Security Analyzer" that will analyze your machine and identify all security weaknesses in your machine (like short passwords, guest user enabled, SQL Server sa account missing a password, etc) ... I think it's a useful tool ...


yaa

You can also just type 'net stop messenger' at a cmd prompt. Also, use the services control panel to stop the service and change it's automatic loading.


cheers,
will