Malware hosted by MSN

[Retired]

Found some malware files on MSN servers. Example:

hxxp://mt7tag.bay.livefilestore.com/y1pdba9Wm0SUNUShxO1lj95M5X7c-j0cTeZIlyxj8Vh_7Zl7h_XjQf8xcSKoCvWNUU3ViZEMG1HqBk/tempMSN.gif

There are several more that I downloaded last night. Can someone look
into this, please?

TIA

 

[Bill Sanderson]

Send this kind of information directly to Microsoft, rather than posting it
in a peer support forum.

The address

(e-mail address removed)

is staffed 24 hours a day.

Found some malware files on MSN servers. Example:

hxxp://mt7tag.bay.livefilestore.com/y1pdba9Wm0SUNUShxO1lj95M5X7c-j0cTeZIlyxj8Vh_7Zl7h_XjQf8xcSKoCvWNUU3ViZEMG1HqBk/tempMSN.gif

There are several more that I downloaded last night. Can someone look
into this, please?

TIA

--

 

[Retired]

Thanks, Bill.
--
Sired, Squired, Hired, RETIRED.

Send this kind of information directly to Microsoft, rather than posting
it in a peer support forum.

The address

(e-mail address removed)

is staffed 24 hours a day.

 

[JustWentThroughThis]

How can a .gif file be malware?

 

[Retired]

It's not really a gif. It's an exe file which has been renamed to gif.

Retired

 

[Bill Sanderson]

I should probably point out that contrary to the title on this thread, the
server in question is NOT a Microsoft property--as I heard when I passed
this information on to secure@.

It's not really a gif. It's an exe file which has been renamed to gif.

Retired

--

 

[Retired]

Then I suppose I should point out that mt7tag.bay.livefilestore.com is
an alias for baylfs.storage.msn.com.nsatc.com:

http://www.robtex.com/dns/mt7tag.bay.livefilestore.com.html

The "contact" tab reveals the following:

"contact information for mt7tag.bay.livefilestore.com
msnhst[at]microsoft.com (responsible for livefilestore.com,msft.net)"

I have reported many of these to Kimberly at Bluetack and she passed
them on to her Microsoft contacts who removed the files.

If it is not a Microsoft property, whose property is it?

 

[Bill Sanderson]

Thanks. Obviously the person at Secure@ who looked at that message analyzed
it quite superficially. If I can find the original response, I'll pass
yours on--they should have looked at it a bit closer.

Then I suppose I should point out that mt7tag.bay.livefilestore.com is an
alias for baylfs.storage.msn.com.nsatc.com:

http://www.robtex.com/dns/mt7tag.bay.livefilestore.com.html

The "contact" tab reveals the following:

"contact information for mt7tag.bay.livefilestore.com
msnhst[at]microsoft.com (responsible for livefilestore.com,msft.net)"

I have reported many of these to Kimberly at Bluetack and she passed them
on to her Microsoft contacts who removed the files.

If it is not a Microsoft property, whose property is it?

--
Sired, Squired, Hired, RETIRED.

I should probably point out that contrary to the title on this thread,
the server in question is NOT a Microsoft property--as I heard when I
passed this information on to secure@.

--

 

[Retired]

Thanks, Bill. Here's three more:

hxxp://xz1l7a.bay.livefilestore.com/y1pcaYDLUjyIhXzYGTUnt0SmJRDLQHstVj-pdfTXnHQNAd7PDtij_g6VvdpILvk0pR9taRc6RFhjqJkhOICoAfQ-w/svchosts.exe

hxxp://xz1l7a.bay.livefilestore.com/y1p2pbjKzVRChCE_0yEBpYWkCNijYbCcJfdjT_SVMCGCf7-gXBSO27NuWkDPf6GcsNN1ivNlRkIRWlyV8sQoaMbFA/killador.exe

hxxp://admunq.blu.livefilestore.com/y1p5E8Lb0aGuEkFIEWEXMnk-noUqURCZtRLe0EbKoHPsbay8Y3V5noM7EEsosASFoe7aJWndCKzCyZvKi6wUMgx6g/killador.exe

Thanks. Obviously the person at Secure@ who looked at that message
analyzed it quite superficially. If I can find the original response,
I'll pass yours on--they should have looked at it a bit closer.

Then I suppose I should point out that mt7tag.bay.livefilestore.com is
an alias for baylfs.storage.msn.com.nsatc.com:

http://www.robtex.com/dns/mt7tag.bay.livefilestore.com.html

The "contact" tab reveals the following:

"contact information for mt7tag.bay.livefilestore.com
msnhst[at]microsoft.com (responsible for livefilestore.com,msft.net)"

I have reported many of these to Kimberly at Bluetack and she passed
them on to her Microsoft contacts who removed the files.

If it is not a Microsoft property, whose property is it?

--
Sired, Squired, Hired, RETIRED.

I should probably point out that contrary to the title on this
thread, the server in question is NOT a Microsoft property--as I
heard when I passed this information on to secure@.

 

[Bill Sanderson]

Thanks - This time around I got a response indicating that they were working
with MSN on the issue, and I've passed on your additional urls.

Thanks, Bill. Here's three more:

hxxp://xz1l7a.bay.livefilestore.com/y1pcaYDLUjyIhXzYGTUnt0SmJRDLQHstVj-pdfTXnHQNAd7PDtij_g6VvdpILvk0pR9taRc6RFhjqJkhOICoAfQ-w/svchosts.exe

hxxp://xz1l7a.bay.livefilestore.com/y1p2pbjKzVRChCE_0yEBpYWkCNijYbCcJfdjT_SVMCGCf7-gXBSO27NuWkDPf6GcsNN1ivNlRkIRWlyV8sQoaMbFA/killador.exe

hxxp://admunq.blu.livefilestore.com/y1p5E8Lb0aGuEkFIEWEXMnk-noUqURCZtRLe0EbKoHPsbay8Y3V5noM7EEsosASFoe7aJWndCKzCyZvKi6wUMgx6g/killador.exe

Thanks. Obviously the person at Secure@ who looked at that message
analyzed it quite superficially. If I can find the original response,
I'll pass yours on--they should have looked at it a bit closer.

Then I suppose I should point out that mt7tag.bay.livefilestore.com is
an alias for baylfs.storage.msn.com.nsatc.com:

http://www.robtex.com/dns/mt7tag.bay.livefilestore.com.html

The "contact" tab reveals the following:

"contact information for mt7tag.bay.livefilestore.com
msnhst[at]microsoft.com (responsible for livefilestore.com,msft.net)"

I have reported many of these to Kimberly at Bluetack and she passed
them on to her Microsoft contacts who removed the files.

If it is not a Microsoft property, whose property is it?

--
Sired, Squired, Hired, RETIRED.

Bill Sanderson wrote:
I should probably point out that contrary to the title on this thread,
the server in question is NOT a Microsoft property--as I heard when I
passed this information on to secure@.

--

 

[Retired]

That's great news, Bill. Looks like we're on a roll! Here's three more:
hxxp://jkyuzq.blu.livefilestore.com/y1pR7eBa13FvdVXwyTdy2iskQ1kl5cJLMzjXHHDT5Fe0HkzDm5l_fUPsUh8C9dkrct2GVPeK89Hm2dQgZGKqw0fjA/foto.jpg.scr

hxxp://zzz6ww.bay.livefilestore.com/y1pCyh1HdgNR5PKYocRtpZqG16t5YW2WVofdcDNk_vZ3QCiGVqgRBa1ZwPW9ORoVV2gtp_6JyqpZFc/itsec.xml

hxxp://zzz6ww.bay.livefilestore.com/y1pNbkF16gP9ghsB_ftM_L5C2YMkNHQmCwUH1KZ2DOpVezJbGpidJbJbi2rLe1K-eqfDfWLJm2tg-E61tdM5Tkffg/bblog.xml

Thanks - This time around I got a response indicating that they were
working with MSN on the issue, and I've passed on your additional urls.

Thanks, Bill. Here's three more:

hxxp://xz1l7a.bay.livefilestore.com/y1pcaYDLUjyIhXzYGTUnt0SmJRDLQHstVj-pdfTXnHQNAd7PDtij_g6VvdpILvk0pR9taRc6RFhjqJkhOICoAfQ-w/svchosts.exe


hxxp://xz1l7a.bay.livefilestore.com/y1p2pbjKzVRChCE_0yEBpYWkCNijYbCcJfdjT_SVMCGCf7-gXBSO27NuWkDPf6GcsNN1ivNlRkIRWlyV8sQoaMbFA/killador.exe


hxxp://admunq.blu.livefilestore.com/y1p5E8Lb0aGuEkFIEWEXMnk-noUqURCZtRLe0EbKoHPsbay8Y3V5noM7EEsosASFoe7aJWndCKzCyZvKi6wUMgx6g/killador.exe

Thanks. Obviously the person at Secure@ who looked at that message
analyzed it quite superficially. If I can find the original
response, I'll pass yours on--they should have looked at it a bit
closer.



Then I suppose I should point out that mt7tag.bay.livefilestore.com
is an alias for baylfs.storage.msn.com.nsatc.com:

http://www.robtex.com/dns/mt7tag.bay.livefilestore.com.html

The "contact" tab reveals the following:

"contact information for mt7tag.bay.livefilestore.com
msnhst[at]microsoft.com (responsible for livefilestore.com,msft.net)"

I have reported many of these to Kimberly at Bluetack and she passed
them on to her Microsoft contacts who removed the files.

If it is not a Microsoft property, whose property is it?

--
Sired, Squired, Hired, RETIRED.

Bill Sanderson wrote:
I should probably point out that contrary to the title on this
thread, the server in question is NOT a Microsoft property--as I
heard when I passed this information on to secure@.

 

[Retired]

One more:

hxxp://drhshq.bay.livefilestore.com/y1pOuqJMDwTBzRV6m9mxmWBmqv1HqZRftrN5K-ezEXQWDbLZzI7EP1KROMYW-EC0yoVuB2JasuFpxo6DYyKTgQU2w/window.exe

 

[Bill Sanderson]

This would be more direct if you simply sent these to (e-mail address removed)
yourself.

I will pass these on, but these are the last I will do this with--please
report them directly. There's no magic in my name--they will do the right
thing with your reports.

That's great news, Bill. Looks like we're on a roll! Here's three more:
hxxp://jkyuzq.blu.livefilestore.com/y1pR7eBa13FvdVXwyTdy2iskQ1kl5cJLMzjXHHDT5Fe0HkzDm5l_fUPsUh8C9dkrct2GVPeK89Hm2dQgZGKqw0fjA/foto.jpg.scr

hxxp://zzz6ww.bay.livefilestore.com/y1pCyh1HdgNR5PKYocRtpZqG16t5YW2WVofdcDNk_vZ3QCiGVqgRBa1ZwPW9ORoVV2gtp_6JyqpZFc/itsec.xml

hxxp://zzz6ww.bay.livefilestore.com/y1pNbkF16gP9ghsB_ftM_L5C2YMkNHQmCwUH1KZ2DOpVezJbGpidJbJbi2rLe1K-eqfDfWLJm2tg-E61tdM5Tkffg/bblog.xml

Thanks - This time around I got a response indicating that they were
working with MSN on the issue, and I've passed on your additional urls.

Thanks, Bill. Here's three more:

hxxp://xz1l7a.bay.livefilestore.com/y1pcaYDLUjyIhXzYGTUnt0SmJRDLQHstVj-pdfTXnHQNAd7PDtij_g6VvdpILvk0pR9taRc6RFhjqJkhOICoAfQ-w/svchosts.exe

hxxp://xz1l7a.bay.livefilestore.com/y1p2pbjKzVRChCE_0yEBpYWkCNijYbCcJfdjT_SVMCGCf7-gXBSO27NuWkDPf6GcsNN1ivNlRkIRWlyV8sQoaMbFA/killador.exe

hxxp://admunq.blu.livefilestore.com/y1p5E8Lb0aGuEkFIEWEXMnk-noUqURCZtRLe0EbKoHPsbay8Y3V5noM7EEsosASFoe7aJWndCKzCyZvKi6wUMgx6g/killador.exe

Bill Sanderson wrote:
Thanks. Obviously the person at Secure@ who looked at that message
analyzed it quite superficially. If I can find the original response,
I'll pass yours on--they should have looked at it a bit closer.



Then I suppose I should point out that mt7tag.bay.livefilestore.com is
an alias for baylfs.storage.msn.com.nsatc.com:

http://www.robtex.com/dns/mt7tag.bay.livefilestore.com.html

The "contact" tab reveals the following:

"contact information for mt7tag.bay.livefilestore.com
msnhst[at]microsoft.com (responsible for livefilestore.com,msft.net)"

I have reported many of these to Kimberly at Bluetack and she passed
them on to her Microsoft contacts who removed the files.

If it is not a Microsoft property, whose property is it?

--
Sired, Squired, Hired, RETIRED.

Bill Sanderson wrote:
I should probably point out that contrary to the title on this
thread, the server in question is NOT a Microsoft property--as I
heard when I passed this information on to secure@.

--