Phishing spams from GrupoSantander.es
T89.GAARA, Calculator Virus
Since this afternoon, lots of Chinese MSN users have received the same file "photos.zip". It's a new IM-Worm and spreading very quickly in China. This worm can send messages in English, French, Spanish and so on, such as "My friend took nice photos of me.you Should see em loL!","hey regarde les tof, c'est moi et mes copains entrain de.... :D",etc. We declared a medium alert for Chinese users on 5:30 p.m, June.1, 2007(GMT +0800). Everyone should be careful of this new worm.
The screenshot of messages:
In the .zip file, there is a file "photos album-2007-5-26.scr", size is 479,232 bytes, MD5 hash is 9784ab71076f583ce02de0340554aefa.
Upon execution, it drops a file "syshosts.dll" and modify a regestry key:
Sends messages as the following:
English version:
French version:
Netherlands or Belgium version:
Italian version:
Germany version:
Spanish version:
The detailed reports written by our anylyst Moonny: CISRT2007068
Alias:
W32.Mubla [Symantec] , Backdoor.Win32.IRCBot.aaq [Kaspersky] , W32/IRCBot-WB [Sophos]
Last modified by smallmo onJuly 2, 2007 18:28
The screenshot of messages:
In the .zip file, there is a file "photos album-2007-5-26.scr", size is 479,232 bytes, MD5 hash is 9784ab71076f583ce02de0340554aefa.
Upon execution, it drops a file "syshosts.dll" and modify a regestry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"syshosts" = "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
"syshosts" = "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
Sends messages as the following:
English version:
Here are my private pictures for you
Here are my pictures from my vacation
My friend took nice photos of me.you Should see em loL!
its only my photos!
Nice new photos of me and my friends and stuff and when i was young lol...
Nice new photos of me!! :p
Check out my sexy boobs :D
Here are my pictures from my vacation
My friend took nice photos of me.you Should see em loL!
its only my photos!
Nice new photos of me and my friends and stuff and when i was young lol...
Nice new photos of me!! :p
Check out my sexy boobs :D
French version:
hey regarde mes tof!! :p
ma soeur a voulu que tu regarde ca!
hey regarde les tof, c'est moi et mes copains entrain de.... :D
j'ai fais pour toi ce photo album tu dois le voire :)
tu dois voire ces tof
mes photos chaudes :D
c'est seulement mes tof :p
ma soeur a voulu que tu regarde ca!
hey regarde les tof, c'est moi et mes copains entrain de.... :D
j'ai fais pour toi ce photo album tu dois le voire :)
tu dois voire ces tof
mes photos chaudes :D
c'est seulement mes tof :p
Netherlands or Belgium version:
zijn enige mijn foto's
wanna Hey ziet mijn nieuw fotoalbum?
Hey beindigde enkel nieuw fotoalbum! :)
hey keurt mijn nieuw fotoalbum goed.. :p
het voor yah, doend beeldverhaal van mijn leven lol..
wanna Hey ziet mijn nieuw fotoalbum?
Hey beindigde enkel nieuw fotoalbum! :)
hey keurt mijn nieuw fotoalbum goed.. :p
het voor yah, doend beeldverhaal van mijn leven lol..
Italian version:
le mie foto calde :p
Germany version:
meine hei en Fotos ! :p
Spanish version:
mis fotos calientes
mi fotografas :p
Mi amigo tom las fotos agradables de m
el lol mi hermana quisiera que le enviara este album de foto
mi fotografas :p
Mi amigo tom las fotos agradables de m
el lol mi hermana quisiera que le enviara este album de foto
The detailed reports written by our anylyst Moonny: CISRT2007068
Alias:
W32.Mubla [Symantec] , Backdoor.Win32.IRCBot.aaq [Kaspersky] , W32/IRCBot-WB [Sophos]
Last modified by smallmo onJuly 2, 2007 18:28
nassir Says : 
October 1, 2008 06:14
ik bin nassir
Can send to me??
Pages: 1/1 
1 
1
