AmericanGreetings eCard spams, QuickTime vulnera
New spams, LGame.zip
A new variant of MSN Worm began spreading some hours ago. The filename is "PictureAlbum2007.zip" this time. In the .zip file, it contains a .com file "DSC515607.jpg-www.photobucket.com". The size of .zip file is about 39KB, and the size of .com file is 61,952 bytes. Kaspersky detects it as Trojan.Win32.Delf.ads. All the users should be careful.
This new variant sends out the messages as the following:
MD5 hash is f0e69187e52c259d048443c74219d72e.
Upon execution, it drops the following files:
It creats the following registry entries:
Alias:
W32.Mimbot.A [Symantec]
Last modified by smallmo onAugust 10, 2007 23:13
This new variant sends out the messages as the following:
QuT usted piensa de este cuadro?
Conseguf a nuevo cuadro de mf la toma una mirada
algunos cuadros de la semana pasada, consideran si usted tiene gusto en ellos.
tiene usted visto este picure todavfa?
Haha, es que usted?
Debo utilizar este cuadro en msn?
QuT usted piensa en esto?
Was denken Sie an diese?
was denken Sie an dieses picure? ich glaube, daich hSlich schaue :/
sind hier eine neue Abbildung von mir
einige Abbildungen von der letzten Woche, sehen, wenn Sie sie m gen
Haha, diese sind Sie auf dieser Abbildung?
sollte ich diese Abbildung auf msn benutzen?
Was denken Sie an dieses?
Wat denkt u aan dit picure? ik vind ik lelijk kijk
Een paar beelden van vorige week, zien of houdt u hier van em nieuwe pic van me. :)
Hebt u dit picure nog gezien?:p
Hebt u dit picure nog gezien? :p
Haha, bent u dat op dat beeld? :)
Zou ik dit beeld op msn moeten gebruiken?
Wat denkt u over dit?
que pensez-vous a ce picure ? je me sens que je semble laid :/
Voici un nouveau pic de moi
Quelques images de la semaine derni
re, voient si vous les aimez
Avez-vous vu ce picure encore ?
Haha, est-vous ce sur cette image ?
Si j'emploient cette image sur le msn ?
Que pensez-vous a mon image ?
What do you think of this picure? i feel i look ugly :/
Here's a new pic of me
A few pictures from last week, see if you like em
Have you seen this picure yet?
Haha, is that you on that picture?
Should i use this picture on msn?
What do you think about this?
Conseguf a nuevo cuadro de mf la toma una mirada
algunos cuadros de la semana pasada, consideran si usted tiene gusto en ellos.
tiene usted visto este picure todavfa?
Haha, es que usted?
Debo utilizar este cuadro en msn?
QuT usted piensa en esto?
Was denken Sie an diese?
was denken Sie an dieses picure? ich glaube, daich hSlich schaue :/
sind hier eine neue Abbildung von mir
einige Abbildungen von der letzten Woche, sehen, wenn Sie sie m gen
Haha, diese sind Sie auf dieser Abbildung?
sollte ich diese Abbildung auf msn benutzen?
Was denken Sie an dieses?
Wat denkt u aan dit picure? ik vind ik lelijk kijk
Een paar beelden van vorige week, zien of houdt u hier van em nieuwe pic van me. :)
Hebt u dit picure nog gezien?:p
Hebt u dit picure nog gezien? :p
Haha, bent u dat op dat beeld? :)
Zou ik dit beeld op msn moeten gebruiken?
Wat denkt u over dit?
que pensez-vous a ce picure ? je me sens que je semble laid :/
Voici un nouveau pic de moi
Quelques images de la semaine derni
re, voient si vous les aimez
Avez-vous vu ce picure encore ?
Haha, est-vous ce sur cette image ?
Si j'emploient cette image sur le msn ?
Que pensez-vous a mon image ?
What do you think of this picure? i feel i look ugly :/
Here's a new pic of me
A few pictures from last week, see if you like em
Have you seen this picure yet?
Haha, is that you on that picture?
Should i use this picture on msn?
What do you think about this?
MD5 hash is f0e69187e52c259d048443c74219d72e.
Upon execution, it drops the following files:
%Windows%\PictureAlbum2007.zip
%System%\prodigys323.dll
%System%\prodigys323.dll
It creats the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"prodigys323" = "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\InProcServer32
@= "prodigys323.dll"
( "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" is random CLSID )
"prodigys323" = "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\InProcServer32
@= "prodigys323.dll"
( "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" is random CLSID )
Alias:
W32.Mimbot.A [Symantec]
Last modified by smallmo onAugust 10, 2007 23:13
Anonymous Says :
September 21, 2007 09:22
Everyone on my contacts got the virus nd they dont know how to get rid of it! it is also names as IMG-0012.zip.
This may help you:
http://www.cisrt.org/enblog/read.php?162
http://www.cisrt.org/enblog/read.php?162
Moonny replied on September 21, 2007 10:24
Ez Says :
September 20, 2007 20:13
I have the same problem...what do you do for macs????
GAMDUN Says :
August 18, 2007 13:31
delete this registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"prodigys323"
delete PictureAlbum2007.zip and prodigys323.dll after reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"prodigys323"
delete PictureAlbum2007.zip and prodigys323.dll after reboot.
I clicked on it and can someone say how to fix the Album virus?
eUpH0rIa Says :
August 12, 2007 18:00
Yes.And it is spreading among users pretty quickly due to the innocent look of the attachment and its msgs.
serious_joker Says :
August 11, 2007 18:28
Apparently every MSN Hotmail contact listed in the infected user's PC gets a message inviting to download a zip file that contains "DSC515607.jpg-www.photobucket.com".
Pages: 1/1 
1 
1
