MS Messenger Block on Pif Files is Case Sensitive

Recently, Microsoft blocked the spreading of Trojans on the Messenger network by blocking .pif files, two out of the three viruses at the time were using .pif files to spread themselves. How did that work?

Not too Good!

Apparently, all the hackers had to do was change the extension to .PIF, or .Pif or .pIf, and the filters let the messages flow on through.

Each of the links lead to a different Trojan-downloader. The downloaders download a variety of adware and adware-related Trojans.

Moreover, IM-Worm.Win32.Licat.c is also downloaded, which in turn launches a new mass mailing of the original message. Nothing unusual, right?

Wrong! Both worms spread using links to .PIF files. But some of you might remember that Microsoft blocked messages containing “.pif”?

Yes they have, but… the MS block is case sensitive!

So the criminals used capital letters, “.PIF” and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.

We have notified Microsoft of this and hope they take the necessary actions. In the meantime, users and admins should beware. Source: Analyst’s Diary via Security Fix

One of the best solutions for all instant messaging users is to only allow people on your buddy list to send you messages, while this wont block the viruses that your friends contract, it will at least block the ones from EVERYONE else. Then you still have to decide whether you really want to click on these links at all, it would probably be safest to message them back real quick and ask what it is, if they don’t know what link you are talking about, then they probably have a virus. As always, update your anti-virus, scan for spyware frequently and lets be careful out there.

Update: According to their weblog, here, MSN has fixed the problem with the different pid extensions working.