I discovered that I have a program installed called msmsger.exe. I
donÂŽt know where it came from and to what it might be associated. From
time to time my personal firewall tells me that the program msmsger.exe wants
to access the internet. I have blocked such request.
I did a Google-search but found only 4 forums (in languages I do not
understand) where it is mentioned. Neither my antispam software nor AV virus
software detects it as bad. I have no Microsoft Messenger software
installed.
Any idea what this piece of software does or is?
I believe this is a great example of something we see all the time:
malicious programs trying to âlook likeâ other programs so youâll be uncertain
about their maliciousness.
And, yes, even though your anti-malware programs donât flag it, I believe it
is malware. Which brings up another very important point.
Become a Patron of Ask Leo! and go ad-free!
One of the ways that malicious software tries to hide itself, or at least
confuse people, is by taking a name that is very similar to a legitimate piece
of software.
The name âmsmsgerâ.exe is very similar to msmsgs.exe (Windows Messenger) or
msnmsgr.exe (MSN Instant Messenger), but of course that actually means nothing.
Just because programs have similar names doesnât mean that theyâre related at
all.
And yet, itâs easy to think so and easy to misread the imposterâs name as
one of the others if youâre not paying close attention.
And, of course, thatâs exactly what malware authors have been relying on for
years. Consider that âlsass.exeâ is a legitimate and important system process.
But âisass.exeâ, and even â1sass.exeâ look very similar. They are not.
They are viruses that have caused a lot of people a lot of grief.
So my first inclination when I see a program that has a name similar but not
quite the same as a legitimate windows program is to consider it suspect.
Choosing a name that is close to the name of a real, legitimate program is a
frequent sign of malware.
coverage.â
âBut,â (I hear you saying), âmy anti-virus program didnât flag it!â
True enough. And, to be honest, thatâs important data. But not enough to
call the file legitimate either. (As an aside, Iâm assuming that your
anti-virus and anti-spyware packages are getting regular database updates to keep
track of new threats that are constantly emerging. Without those updates, best done
daily or at least weekly, they wonât catch new malware.)
The sad fact is that not all anti-malware programs catch all malware. Good
ones will catch a lot; even most of the malware thatâs out there. But none of
them are 100% accurate.
Iâll say that again: none of the anti-malware programs give you 100%
coverage.
Sucks, doesnât it?
In the case of msmsger.exe, I did find at least one anti-spyware vendor that
and only recently explicitly lists is as a
threat but provides very little detail. Itâs difficult to determine just
how much of a threat it really is.
My first recommendation is to run additional spyware and virus scans using
some of the free or trial versions of scanners that are currently
available.
If they show nothing, my next recommendation is to delete the file
(following the steps in Is it
safe to delete this file?), and see what happens.
But the fact that itâs named similarly to a legitimate program and that itâs
trying to access the internet most definitely have me concerned, and almost
convinced, that itâs a virus or other malware of some sort.
Hi Leo and the chap sporting msmsger.exeâŠ
prevx.com have it on file already â search msmsger.exe and you will get: http://spywarefiles.prevx.com/RRHDHD32771468/msmsger%252Eexe.html
What I like about prevx is that it probably wonât allow the file on the computer in the first place, but even if it did it certainly would not allow the program to run without a specific yes from its online database or meâŠ
http://prevx.com
Well worth a lookâŠ
Lou
Excellent warning and clear explanation.
http://www.auditmypc.com/process/msmsgs.asp
Its a worm.
ââBEGIN PGP SIGNED MESSAGEââ
Hash: SHA1
That comment, unfortunately, illustrates one of the reasons that malware
authors use names that are so similar to other thing.
The article here talks about âmsmsger.exeâ â the article on
audiymypc.com doesnât mention âmsmsger.exeâ at all. Many similar names,
but NOT the exact same name.
Thatâs important. Make sure you are carefully examining the correct
information for the exact name you youâre seeing.
Leo
ââBEGIN PGP SIGNATUREââ
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFFw3YjCMEe9B/8oqERAgAQAJ0TKqD+MmLFoGwGTjieULFG6QrbAwCdErRL
5pC3bsr0aKdWsFDNrGYpvzI=
=Z/YK
ââEND PGP SIGNATUREââ
I recognized the similarity to a line in my computer when I was trying to trim my startup programs, so I was relieved to find from checking here that mine was the âgoodâ one. But if I hadnât already read the article, I wouldnât even have known that there was anything to check. An index of topics youâve answered would be helpful. Do you already have one, and how do I access it? If not, Iâd be willing to help set one up, which I have done in the past, but just on paper, never on a computer. I think an indepth index would be helpful, so let me knowâwith instructionsâif I can be of help. BombayGranny
A while back my firewall informed me that msmger.exe was being blocked and asked me what I wanted to do with it. I didnât know what it is so I told the firewall to ask me again later. Then my system started lagging badly while trying to web surf. As soon as I removed msmsger My system started running good again. This thing is a malware so if you get it remove it.
ââBEGIN PGP SIGNED MESSAGEââ
Hash: SHA1
Again, folks, the the filename in that previous comment is not the same
as the filename that started this article. >>Pay careful attention to
the filename
59.16.41.33:6667
The worm opens an IRCout event to that IP address an Port. I dont know the relevance of this, maybe someone will.