iPhone vulnerability
Another variant, IM-Worm.Win32.Agent.g
We just received a new worm spreading via MSN from a friend. The file name is "summer2008.zip". In the zip file, it contains a .scr file "summer2008.scr". This worm also can send out different messages with multiple languages. It also adds the Chinese language pronunciation this time. Kaspersky detects it as Backdoor.Win32.IRCBot.acd (old name: IRC-Worm.Win32.Agent.a)
This worm sends out the following messages:
English version:
Chinese version:
Other version:
Upon execution, this worm drops random file name in the %WINDOWS% directory as the following:
The size is 120,832 bytes, packed with NTKrnl, MD5 hash is e1d1e9e2b1882f2c99c6a131341dea21.
Update 6:15 p.m, July.24,2007 (GMT +0800):
How to remove this worm:
Step 1.
"Start"->"Run", type "REGEDIT", open the reistry editor.
Step 2.
Go to
delete "printers"="{CLSID}" in right panel
( please copy the {CLSID} before deleting it )
Step 3.
Go to
delete the {CLSID} in Step 2.
Step 4.
Restart your computer
Step 5.
Delete the following files:
{string1} is one of the following:
For example:
images047.zip (images047.scr)
photo92.zip (photo92.scr)
Alias:
W32.Mubla.B [Symantec]
Last modified by smallmo onJuly 30, 2007 12:13
This worm sends out the following messages:
English version:
Look how wasted Paris Hilton is, after she got jailed :(
You and Me !!! .... look :p
Look at my photos hihi :p
Hey please accept my photos :o !!
A photo with me and my best friend :$ !!
This is me totaly naked :o please dont send to anyone else
Look what i found on the NET :o
Jessica Alba NUDE !!
You and Me !!! .... look :p
Look at my photos hihi :p
Hey please accept my photos :o !!
A photo with me and my best friend :$ !!
This is me totaly naked :o please dont send to anyone else
Look what i found on the NET :o
Jessica Alba NUDE !!
Chinese version:
kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :(
NI HE WO !!! .... QING KAN :p
KAN WO DE ZHAOPIAN :p
JIESHOU WO DE ZHAO PIAN :o !!
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
KAN WO DE ZHAOPIAN :p
ZHE SHI WO DE LUOZHAO :o QING BU YAO FA GEI BIEREN !!
NI HE WO !!! .... QING KAN :p
KAN WO DE ZHAOPIAN :p
JIESHOU WO DE ZHAO PIAN :o !!
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
KAN WO DE ZHAOPIAN :p
ZHE SHI WO DE LUOZHAO :o QING BU YAO FA GEI BIEREN !!
Other version:
bak sana Paris Hilton ne hale gelmis hapiste :(
Sen ve Ben !!! .... BAK :p
Baksana benim fotograflara hihi :p
Hey benim fotolarimi kabul et :o !!
Iyi arkadasimla fotorafdayim :$ !!
benim bu ciplak fotoda :o ama baskasina yollama
bak ne buldum :o Jessica alba ciplak !!
Regarde comment Paris Hilton parait efondr?apr qu'elle ai ?jeter en prison :(
Toi et moi !!! .... regarde :p
Regarde mes photos :p
Hey s'il te plait accepte mes photos :o !!
Une photo de moi et mon meilleur ami :$ !!
C'est moi totalement nu :o
s'il te plait ne l'envoie a personne d'autre
Regarde ce que j'ai trouv?sur le net :o Jessica Alba NU !!
Kijk hoe erg Paris Hilton er aan toe is na gevangenschap :(
Jij en Ik !!!! .... kijk :p
Kijk eens naar mijn fotos hihi :p
HEY !! accepteer mn fotos dan !
met mijn beste vriend op de foto !! :$
Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
Kijk wat ik gevonden heb :o Jessica Alba naakt !!
guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist :(
du und ich !!! ....guck :p
siehe meine fotos hihi :p
hey bitte nimm meine fotos an :o !!
ein foto mit meinem besten freund und mir :$ !!
das bin ich total nackt :o bitte sende es niemand anderem
guck was ich im internet gefunden habe :o jessica Alba NACKT !!
Guarda come Paris Hilton sprecato ? dopo che era imprijonata :(
Tu ed io !!! .... guarda :p
Guardi le mie foto hihi :p
Mairee photos accept karo :o !!
Una foto con me ed il mio amico migliore :$ !!
Questa e me totaly nudo :o prego non trasmette a chiunque
Osservi che cosa ho trovato sul internet :o Jessica alba NUDA !!
Veja como Paris Hilton est?acabada depois de ter sido presa :(
Voc?e eu !!!! .... Veja :p
Veja as minhas fotos hehehe :p
Por favor aceite as minhas fotos :o !!
Uma foto com o meu melhor amigo e eu :$ !!
Esta sou eu totalmente nua :o por favor nmande isso pra ningu
Olha o que eu achei na NET :o Jessica Alba NUA !!
Kolla hur fstd Paris Hilton, efter att hon fgslades :(
Du och jag !! .... Kolla ;)
Kolla p?min bilder, hihi :p
Hey, acceptera mina bilder, snla :o
En bild p?mig och min bta v :$ !!!
Detta jag HELT naken.. :o Skicka inte till non annan, snla...
Kolla vad jag hittade p?net :o Jessica Alba NAKEN !!
Mira co Paris Hilton es perdida despu de ser encarcelada :(
Usted e yo !!! .... Mira :p
Mira mis fotos jejeje :p
Ha aceptado mis fotos por favor :o !!
Una foto con mi mejor amigo e yo :$ !!
Esta soy yo totalmente desnuda :o
por favor no env para nadie Mira lo que encontr?en la WEB :o Jessica Alba DESNUDA !!
Lede hvor spild Paris Hilton er efter hun fik fgsel :(
Jer og Mig !!! ... se :p
Se p?min fotos :p
Hej behage optage min foto :o !!
EN foto hos mig og min bedst ven :$ !!
denne er mig hele bar behage vage vendlig og sende den ikk til nogle :o
Lede hvad jeg fandt oven p?den net :o Jessica Alba bar !!
Sen ve Ben !!! .... BAK :p
Baksana benim fotograflara hihi :p
Hey benim fotolarimi kabul et :o !!
Iyi arkadasimla fotorafdayim :$ !!
benim bu ciplak fotoda :o ama baskasina yollama
bak ne buldum :o Jessica alba ciplak !!
Regarde comment Paris Hilton parait efondr?apr qu'elle ai ?jeter en prison :(
Toi et moi !!! .... regarde :p
Regarde mes photos :p
Hey s'il te plait accepte mes photos :o !!
Une photo de moi et mon meilleur ami :$ !!
C'est moi totalement nu :o
s'il te plait ne l'envoie a personne d'autre
Regarde ce que j'ai trouv?sur le net :o Jessica Alba NU !!
Kijk hoe erg Paris Hilton er aan toe is na gevangenschap :(
Jij en Ik !!!! .... kijk :p
Kijk eens naar mijn fotos hihi :p
HEY !! accepteer mn fotos dan !
met mijn beste vriend op de foto !! :$
Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
Kijk wat ik gevonden heb :o Jessica Alba naakt !!
guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist :(
du und ich !!! ....guck :p
siehe meine fotos hihi :p
hey bitte nimm meine fotos an :o !!
ein foto mit meinem besten freund und mir :$ !!
das bin ich total nackt :o bitte sende es niemand anderem
guck was ich im internet gefunden habe :o jessica Alba NACKT !!
Guarda come Paris Hilton sprecato ? dopo che era imprijonata :(
Tu ed io !!! .... guarda :p
Guardi le mie foto hihi :p
Mairee photos accept karo :o !!
Una foto con me ed il mio amico migliore :$ !!
Questa e me totaly nudo :o prego non trasmette a chiunque
Osservi che cosa ho trovato sul internet :o Jessica alba NUDA !!
Veja como Paris Hilton est?acabada depois de ter sido presa :(
Voc?e eu !!!! .... Veja :p
Veja as minhas fotos hehehe :p
Por favor aceite as minhas fotos :o !!
Uma foto com o meu melhor amigo e eu :$ !!
Esta sou eu totalmente nua :o por favor nmande isso pra ningu
Olha o que eu achei na NET :o Jessica Alba NUA !!
Kolla hur fstd Paris Hilton, efter att hon fgslades :(
Du och jag !! .... Kolla ;)
Kolla p?min bilder, hihi :p
Hey, acceptera mina bilder, snla :o
En bild p?mig och min bta v :$ !!!
Detta jag HELT naken.. :o Skicka inte till non annan, snla...
Kolla vad jag hittade p?net :o Jessica Alba NAKEN !!
Mira co Paris Hilton es perdida despu de ser encarcelada :(
Usted e yo !!! .... Mira :p
Mira mis fotos jejeje :p
Ha aceptado mis fotos por favor :o !!
Una foto con mi mejor amigo e yo :$ !!
Esta soy yo totalmente desnuda :o
por favor no env para nadie Mira lo que encontr?en la WEB :o Jessica Alba DESNUDA !!
Lede hvor spild Paris Hilton er efter hun fik fgsel :(
Jer og Mig !!! ... se :p
Se p?min fotos :p
Hej behage optage min foto :o !!
EN foto hos mig og min bedst ven :$ !!
denne er mig hele bar behage vage vendlig og sende den ikk til nogle :o
Lede hvad jeg fandt oven p?den net :o Jessica Alba bar !!
Upon execution, this worm drops random file name in the %WINDOWS% directory as the following:
images0XX.zip
photos0XX.zip
albumXX.zip
photoXX.zip
pictures0XX.zip
pictureXX.zip (XX is random digitals, such as album39.zip, images091.zip.)
photos0XX.zip
albumXX.zip
photoXX.zip
pictures0XX.zip
pictureXX.zip (XX is random digitals, such as album39.zip, images091.zip.)
The size is 120,832 bytes, packed with NTKrnl, MD5 hash is e1d1e9e2b1882f2c99c6a131341dea21.
Update 6:15 p.m, July.24,2007 (GMT +0800):
How to remove this worm:
Step 1.
"Start"->"Run", type "REGEDIT", open the reistry editor.
Step 2.
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
delete "printers"="{CLSID}" in right panel
( please copy the {CLSID} before deleting it )
Step 3.
Go to
HKEY_CLASSES_ROOT\CLSID
delete the {CLSID} in Step 2.
Step 4.
Restart your computer
Step 5.
Delete the following files:
%System%\notiffy.dll
%System%\printers.exe
%userprofile%\new.txt
%Windows%\{string1}{random number}.zip (file size:119KB)
%System%\printers.exe
%userprofile%\new.txt
%Windows%\{string1}{random number}.zip (file size:119KB)
{string1} is one of the following:
images0
photos0
album
photo
pictures0
picture
photos0
album
photo
pictures0
picture
For example:
images047.zip (images047.scr)
photo92.zip (photo92.scr)
Alias:
W32.Mubla.B [Symantec]
Last modified by smallmo onJuly 30, 2007 12:13
princess bitch Says : 
April 13, 2008 18:00
I must admit,
i was a stupid idiot who unknowingly acepted the virus about 7 months ago.
However i have Mcafe and its brilliant.
It detected the virus and ran a scan and got rid of it straight away.
I was extremely scared that id lose all my files and things,But i didnt and it all worked out fine.
Im now aware of he virus and decided to research it because i know that a few friends have it but stupidly enough dont have internet security/
.
Thankyou, for spreading knowledge. ;;xO
i was a stupid idiot who unknowingly acepted the virus about 7 months ago.
However i have Mcafe and its brilliant.
It detected the virus and ran a scan and got rid of it straight away.
I was extremely scared that id lose all my files and things,But i didnt and it all worked out fine.
Im now aware of he virus and decided to research it because i know that a few friends have it but stupidly enough dont have internet security/
.
Thankyou, for spreading knowledge. ;;xO
52000 Says : 
April 3, 2008 02:24
ja Says :
March 31, 2008 10:14
Paaul Says :
March 12, 2008 11:08
I DONT GET THE PRINTER PART IT DOSNT HAVE IT PLZ HELP ASAP!! 
renin Says :
December 11, 2007 22:27
i din get the printer part...whts CSLID basically....im confused....worst part is my pc is brand new..... 
Sian Says :
November 21, 2007 12:11
where do i find this files.
%System%\notiffy.dll
sry ..
%System%\notiffy.dll
sry ..
asdf Says :
November 17, 2007 04:44
chinga tu puta madre esa pendejada sirve para unos cojones namas
Yvonne Says :
October 31, 2007 17:50
i cant delete the virus what mean for"{CLSID}" ?? printer part i find at other fle key izit tat pirinter file i should delete??
prolwer69 Says :
September 29, 2007 09:30
i tried the regedit and can't find the entry either
i have followed the instructions concerning stopping auto restore and do a scan and reboot and scan. i thought i had fixed it but i just had msn on again and it opened multiple windows and closed them like it was sending messages and i had a hard time exiting msn - it said that it would close all active windows but i didnt have any open... so i think i still have it. any more suggestions??? i have scanned for all of the files you have listed.
thks
i have followed the instructions concerning stopping auto restore and do a scan and reboot and scan. i thought i had fixed it but i just had msn on again and it opened multiple windows and closed them like it was sending messages and i had a hard time exiting msn - it said that it would close all active windows but i didnt have any open... so i think i still have it. any more suggestions??? i have scanned for all of the files you have listed.
thks
rutash Says :
September 14, 2007 22:15
i cant find printer thingii....what should i do?
thanx for the help
thanx for the help
Maybe variants, you could send virus or suspicious files to us:
newvirus@cisrt.com
Thanks.
newvirus@cisrt.com
Thanks.
Moonny replied on September 15, 2007 00:41
rubbie Says :
September 1, 2007 23:55
can u put in the keys for what i am meant to delete
Mire Says :
August 31, 2007 00:26
Step 2.
( please copy the {CLSID} before deleting it)
copy where?
I'm sorry for being stupid, but I don't undarstand.. :(
( please copy the {CLSID} before deleting it)
copy where?
I'm sorry for being stupid, but I don't undarstand.. :(
copy where?
copy the {CLSID}, "printers"="{CLSID}"
copy the {CLSID}, "printers"="{CLSID}"
Moonny replied on September 2, 2007 10:56
Mirela Says :
August 31, 2007 00:17
You said:
delete "printers"="{CLSID}" in right panel
( please copy the {CLSID} before deleting it )
delete "printers"="{CLSID}" in right panel
( please copy the {CLSID} before deleting it )
brooka Says :
August 24, 2007 20:50
man i got likesimila but i cant find printers part.. and his is really gay and anoying :@ i would choke the guy who designed his virus!
Ross Says :
August 22, 2007 05:52
i need help with this. can anyone tell me what to do when it says erase printers wtf are printers???
Pages: 1/3 
1 2 3 
1 2 3
