The feature, known as the messenger service, was originally designed to let a network administrator send warnings to users when, for example, a server is scheduled to go down for maintenance. Last year, bulk advertisers began using the tool to send pop-up advertising messages directly to a user's computer, and researchers say it would be simple for a virus writer to exploit the feature as well. The feature is not related to Microsoft's instant messaging software.
The warnings take on added urgency with the outbreak of several worms over the past few days that are affecting PCs and corporate networks. The MSBlast worm, the "good" Welchia/Nachi worm, a new version of the Sobig virus and the threat of a Direct X attack are all currently causing concern for Windows users.
Jack Clark, spokesman at security software company McAfee, explained that although the messenger service is not a threat on its own, it could easily be exploited to bring further misery for administrators and users. "Someone could write a virus that infects your machine and instructs it to send out those messages to everyone else," said Clark.
The messaging service, using a component called "Net Send", can be used to send a pop-up alert with 128 characters to either a single user, all users on a domain, or all users that have sessions with a particular server. This could allow spammers to send thousands or even hundreds of thousands of messages from a single command in a DOS shell, although Microsoft's Web site advises people to "use discretion when sending messages to multiple users".
Alex Shipp, a senior antivirus technologist at email security company MessageLabs, agreed the message service is a threat and recommended that administrators make sure it is turned off. "I haven't come across anyone in the past year that has used the messenger service. In general, things you are not using should be turned off -- it is probably best not to leave it up to the poor end user to make those decisions," he said.
In order to switch off the messenger service in Windows XP, Go to the Start button, click on Control Panel, Admin tools and choose Services. Then double click on Messenger and change the Start-Up type to Disabled. Finally, reboot the PC.
Microsoft was not available for comment.
Talkback
I agree - pop up messages like this are becoming a real pain. I use NTL Broadband and if I leave the service on I get approximately 3 per hour. But there is good news... if any of them are adverts for premium rate number in the UK, you can note the message and the number and complain to ICSTIS - they have ruled that it is a viloation of the premium rate operators terms and conditions as well as a contravention of the computer mis-use act.
Many thanks for your simple solution and instructions how to turn messenger off and stop the enormous amount of messages I receive on my home computer. I searched the Microsoft site by keyword and was not able to find any mention or advice on how to deal with messenger ads. As a home computer user and not an IT professional, I cannot understand why simple instructions as found in your article cannot be made easily available for the home user from Microsoft itself.
Thanks again.
In case you happen to use the messenger service for what it's supposed to be used for, disabling it naturally is a problem.
But unless the spammer is inside your own network, simply blocking ports 137, 138, and 139 from the outside world is all that needs to be done to prevent those messages from ever entering the network at all.
Some server systems actually do use the service for notifying of printer problems or "server down for service" messages. Especially Windows 2003 servers use it for the latter sample.
This is a bit of a stretch, as the NET SEND command would have to be locally executed in order to blindly send a pop-up message box to all users in the machine's domain. Otherwise the initiator would need to know specifics such as network usernames and network domains (which is unlikely for an external exploit).
Disabling the Messenger service is an obvious preventative measure, but I am wondering where/how an external party could locally execute the NET SEND command. If the attack is coming from the outside through a TCP/UDP port exploit then NetBIOS/SMB ports like 137, 138, etc. should be blocked on the external interface. If the attack is coming in the form of an e-mail script I suppose the unknowing recipicient party could simply launch the script and perform the command.
Most current Microsoft e-mail application versions now automatically block attachments that are .BAT, .PIF, .CMD, .EXE and those versions that don't can be aided with current antivirus definitions running on the e-mail server and e-mail client. But the scripting capability could be a lot more damaging than sending a NET SEND message box. Imagine one that appended 'format c:' or something to the local startup environment on Windows 9x hosts ?
That being said I still fail to see how a NET SEND message box could contain malicious code. I can appreciate the foresight and proactive nature of this article yet would like some perspective on things.
The bloated virus magnet with the initials MS strikes again. Is there no end to the new holes that will require new patches? Has Microshaft left all these weak spots so they can browse our system in search of unregistered software? Unix / Linux is looking better every day, and Apple has begun to be an option I'll have to consider.
While I'm concerned about the security issues, I frequently run Windows and MSN messengers side by side. This allows me to 'appear offline" to a large group of contacts while remaining available to a select few, and still see when contacts come online in the larger group. Personally I'd prefer that Windows messenger was fixed and updated with features equalling MSN not simply discontinued.