Messenger Service Spam

What is it?

Do you get pop-up messages like this one?

Take note of the title bar, the first line and the fact that it is only "flat text", with just an "OK" button.

Out of the box, Microsoft Windows NT, 2000, and XP systems allow anyone on the network to pop up messages like this on your screen. You do not need to be running any web, email, or instant messaging software. It has nothing to do with MSN Messenger, Yahoo Messenger, or any other application. There is no need for the sender to know anything about your computer and your computer doesn't care who does it. In recent incidents, people have used this capability to spread SPAM messages like the ones above.

BTW: If you get pop-ups not looking like this, try scanning for "normal" spyware.

Cure the symptom

New: If you are looking for a user-friendly tool that does all this stuff for you, try X-Cleaner.

You can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. This may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.

Windows 2000

1. Click Start->Programs->Administrative Tools->Services
2. Scroll down and highlight "Messenger"
3. Right-click the highlighted line and choose Properties.
4. Click the STOP button.
5. Select Disable in the Startup Type scroll bar
6. Click OK

Windows XP

1. Click Start->Control Panel
2. Click Performance and Maintenance
3. Click Administrative Tools
4. Double click Services
5. Scroll down and highlight "Messenger"
6. Right-click the highlighted line and choose Properties.
7. Click the STOP button
8. Select Disable in the Startup Type scroll bar
9. Click OK

You can verify that the service is disabled by typing the following at a command prompt. If no message appears, the Messenger service has been disabled.

net send 127.0.0.1 "test"

Cure the cause

If you are a home user...

Beware! The problem is much bigger than just receiving annoying messages.
It means your Pc is very vulnerable to all sorts of attacks.

Quoting Microsoft's KnowledgeBase article on the subject,

"In addition to transmitting net send messages to your computer over the Internet, a malicious user may also be able to use the NetBIOS connection to your computer to perform the following tasks:

• Access your private information
• Initiate denial of service (DoS) attacks against a high profile Web site
• Distribute software illegally by appropriating space on your hard disk

For this reason, Microsoft recommends that you install a firewall and configure it to block NetBIOS traffic instead of merely just turning off the Messenger service. "

We have prepared a list of good software firewalls.

If you are a systems administrator...

When you are responsible for any kind of network, you should be aware of all the security implications of having a Netbios service available to the entire world. All it takes is one Pc that is infected to compromise your entire network from the inside.

If you have not already, block these ports usage on firewall:

• Incoming & Outgoing (anywhere to anywhere)
• UDP and TCP
• Port list: 135, 137, 138, 139, 445

These ports are used for nothing good and should be closed at once. Contact your firewall vendor if needed. (And make sure to yell at them for not closing them by default in the first place)