Zhelatin new tactics
Zhelatin changes themes again
We received some reports from HongKong that a new MSN worm variant began spreading via MSN Messenger now. This variant can send a file "IMG024.JPG.zip" to the friends of MSN lists. In the .zip file, it contains a .com file "IMG024.JPG.com", the size is 37,888 bytes, Kaspersky detects it as Backdoor.Win32.Rbot.csm.
This variant sends out the following message according to the language of Operating System.
English version:
Other version:
MD5 hash is 2a6458b5fc9214eaa9f3af82399a10a8.
Upon execution, it drops the following file:
It creats the following key:
It modifies the following key:
Last modified by smallmo onAugust 21, 2007 18:33
This variant sends out the following message according to the language of Operating System.
English version:
wanna see the pics from my vacation? :>
wow! look at this old picture i found :|
hey did i ever show you this picture of me?
haha you should make this your default pic on myspace or something :D
hey i'm going to add this picture of us to my weblog
lol remember when you used to have your hair like this
hey i'm gonna put this picture of us on my myspace
wow! look at this old picture i found :|
hey did i ever show you this picture of me?
haha you should make this your default pic on myspace or something :D
hey i'm going to add this picture of us to my weblog
lol remember when you used to have your hair like this
hey i'm gonna put this picture of us on my myspace
Other version:
oye voy a poner esa foto de nosotros en mi myspace :->
jaja recuerda cuando tuviste el pelo asioye voy a agregar esa foto a mi blog ya
jaja debes poner esa foto como foto principal en tu myspace o algo :D
hola esas son las fotos :>
esa foto de tu y yo la voy a poner en myspace
voy a poner esa foto de nosotros en mi blog
yaoye ponga esa foto en tu myspace como la foto principal
jajaja yo me recuerdo cuando tuvistes el pelo asiay no ese pelo fue lo mas chistoso...q
estabas pensando ehi metter?quest'immagine di noi sul mio myspace :>
jaja ricordo quando lei aveva i suoi capelli come questoehi aggiunger?quest'immagine di noi al mio weblog
jaja lei dovrebbe fare quest'il suo pic predefinito sul myspace o qualcosa :D
metta questi fotos in suo pagina myspace
Qui sono il fotos di ciCaricher?questa foto al mio myspace
adessoIo ricordo quando abbiamo portato questa fotoPer favore nessuno lasciare vede le nostre foto
he werde ich diese Abbildung von uns auf mein myspace setzenlol erinnern sich, an als Sie pflegten, Ihr Haar so zu habenhe werde ich diese Abbildung von uns meinem weblog hinzufen
Haha sollten Sie dieses Ihre Rkstellung auf myspace oder etwas pic bilden:D
he ich zeige Ihnen diese Abbildung von mir erhaupt?Wimmern!
Blick auf diese alte Abbildung, die ich:
fand |mhten den pics von meinen Ferien sehen?
wil je fotos zien van mijn vakantie wow!
moet je eens kijken welke foto ik nu gevonden heb
he heb je ooit deze foto laten zien ?
haha you moet die je standaard foto maken op hyves of myspace
hey ik voeg deze foto van ons ff toe op mijn weblog
lol ik kan me nog herrinneren toen je haar zoals dit had
hey i zet deze foto van ons even op mijn myspace :>
voulez voir le PICS de mes vacances?
daut de la reproduction sonore !
regard ?cette vieille image que j'ai trouv :|
est-ce qu'h?je vous montre jamais cette image de moi?
haha vous devriez rendre ceci votre daut pic sur le myspace ou quelque chose :D
h?je vais ajouter cette image de nous ?mon weblog le
lol se rappellent quand vous aviez l'habitude d'avoir vos cheveux comme ceci
h?je vais mettre cette image de nous sur mon myspace :>
jaja recuerda cuando tuviste el pelo asioye voy a agregar esa foto a mi blog ya
jaja debes poner esa foto como foto principal en tu myspace o algo :D
hola esas son las fotos :>
esa foto de tu y yo la voy a poner en myspace
voy a poner esa foto de nosotros en mi blog
yaoye ponga esa foto en tu myspace como la foto principal
jajaja yo me recuerdo cuando tuvistes el pelo asiay no ese pelo fue lo mas chistoso...q
estabas pensando ehi metter?quest'immagine di noi sul mio myspace :>
jaja ricordo quando lei aveva i suoi capelli come questoehi aggiunger?quest'immagine di noi al mio weblog
jaja lei dovrebbe fare quest'il suo pic predefinito sul myspace o qualcosa :D
metta questi fotos in suo pagina myspace
Qui sono il fotos di ciCaricher?questa foto al mio myspace
adessoIo ricordo quando abbiamo portato questa fotoPer favore nessuno lasciare vede le nostre foto
he werde ich diese Abbildung von uns auf mein myspace setzenlol erinnern sich, an als Sie pflegten, Ihr Haar so zu habenhe werde ich diese Abbildung von uns meinem weblog hinzufen
Haha sollten Sie dieses Ihre Rkstellung auf myspace oder etwas pic bilden:D
he ich zeige Ihnen diese Abbildung von mir erhaupt?Wimmern!
Blick auf diese alte Abbildung, die ich:
fand |mhten den pics von meinen Ferien sehen?
wil je fotos zien van mijn vakantie wow!
moet je eens kijken welke foto ik nu gevonden heb
he heb je ooit deze foto laten zien ?
haha you moet die je standaard foto maken op hyves of myspace
hey ik voeg deze foto van ons ff toe op mijn weblog
lol ik kan me nog herrinneren toen je haar zoals dit had
hey i zet deze foto van ons even op mijn myspace :>
voulez voir le PICS de mes vacances?
daut de la reproduction sonore !
regard ?cette vieille image que j'ai trouv :|
est-ce qu'h?je vous montre jamais cette image de moi?
haha vous devriez rendre ceci votre daut pic sur le myspace ou quelque chose :D
h?je vais ajouter cette image de nous ?mon weblog le
lol se rappellent quand vous aviez l'habitude d'avoir vos cheveux comme ceci
h?je vais mettre cette image de nous sur mon myspace :>
MD5 hash is 2a6458b5fc9214eaa9f3af82399a10a8.
Upon execution, it drops the following file:
%windir%\system\ehSched.exe
%windir%\system\IMG024.JPG.zip
%windir%\system\IMG024.JPG.zip
It creats the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
"ehSched" = "%Windows%\system\ehSched.exe"
"ehSched" = "%Windows%\system\ehSched.exe"
It modifies the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
"WaitToKillServiceTimeout"="7000"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
"EnableFirewall"=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
"EnableFirewall"=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
"AUOptions"=dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"restrictanonymous"=dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
"DoNotAllowXPSP2"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
"EnableDCOM"="N"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
"Start"=dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
"Start"=dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
"Start"=dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
Start"=dword:00000004
"WaitToKillServiceTimeout"="7000"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
"EnableFirewall"=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
"EnableFirewall"=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
"AUOptions"=dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"restrictanonymous"=dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
"DoNotAllowXPSP2"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
"EnableDCOM"="N"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
"Start"=dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
"Start"=dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
"Start"=dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
Start"=dword:00000004
Last modified by smallmo onAugust 21, 2007 18:33
Tom Says :
November 3, 2007 14:03
yea I got the virus as well but I can't find the files u mentioned wat do I do?
%windir%\\system\ehSched.exe
%windir%\system\IMG024.JPG.zip
%windir%\\system\ehSched.exe
%windir%\system\IMG024.JPG.zip
Hello,Tom. It looks like variants of MSN worm. Please send us with .RAR or .ZIP file and add the password "virus". Our mailbox: newvirus@cisrt.com & sample@cisrt.org(RAR only)
smallmo replied on November 3, 2007 19:14
Kitten Says : 
September 26, 2007 06:53
I can't open up anyones msn window,if they want to chat with me they have to send it first..its been like this all day today...please tell me why.....
Sarah
Sarah
sdfd Says :
September 20, 2007 02:57
none of the methods that i've tried have workd includin the ones that r on this page.
wot do i do? i have img024 nd sometimes img1223
help me pleas!!!
thnx!!
wot do i do? i have img024 nd sometimes img1223
help me pleas!!!
thnx!!
You could send virus zip files or suspicious files to us.
Email: sample@cisrt.org
Please compress files in .RAR with password "virus", thanks.
Email: sample@cisrt.org
Please compress files in .RAR with password "virus", thanks.
Moonny replied on September 20, 2007 09:38
oded Says :
September 17, 2007 06:17
i got a virus named IMG_1123.rar but i cant make any of the solutions cause i sont have these files / keys... can i sen it to your email or something for you to check please :\
cause i already opened it :(
cause i already opened it :(
Please send IMG_1123.rar to me:
moonny@cisrt.com
I'll help you to remove it.
moonny@cisrt.com
I'll help you to remove it.
Moonny replied on September 17, 2007 13:45
Elis Says :
September 14, 2007 07:22
Hey I just got the virus this morning and I opened the point it's that I could find any of the keys in the registry but the virus it's still sending by itself at my MSN contacts..
What should I do?
What should I do?
Please send the virus file to me: moonny@cisrt.com
Thanks.
Thanks.
Moonny replied on September 14, 2007 09:45
help =( Says :
September 13, 2007 17:29
How do I get rid of the IMG-0012.zip? I didn't even accept or view that file from any friend. I've no idea how I got it on my com.
Pls help me! :( Thankyou!
Pls help me! :( Thankyou!
Moonny replied on September 13, 2007 20:18
anna Says :
September 12, 2007 00:25
hey, what should i do, if i havbe opened it?
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehSched"="%Windows%\system\ehSched.exe"
delete this registry item first, and then delete these files after restarting:
%windir%\system\ehSched.exe
%windir%\system\IMG024.JPG.zip
"ehSched"="%Windows%\system\ehSched.exe"
delete this registry item first, and then delete these files after restarting:
%windir%\system\ehSched.exe
%windir%\system\IMG024.JPG.zip
Moonny replied on September 12, 2007 09:04
gunmetalgrey Says :
September 12, 2007 00:07
Hi I just got a virus similar to this except the file name is IMG-0012.zip. is this the same virus? as the message that gets sent out is one of the ones listed. ie
"lol remember when you used to have your hair like this"
can I follow the instructions above to remove it?
thanks for any help!
"lol remember when you used to have your hair like this"
can I follow the instructions above to remove it?
thanks for any help!
Please send the file IMG-0012.zip to me: moonny@cisrt.com
Thanks.
Thanks.
Moonny replied on September 12, 2007 09:04
Reich Says :
September 11, 2007 22:57
Uppps I have opened the file, I try to follow your indications but without success, my OS is Windows Vista.
DJ Monkey Says :
September 11, 2007 20:13
My friend just got this virus, how do you get rid of it?
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehSched"="%Windows%\system\ehSched.exe"
delete this registry item first, and then delete these files after restarting:
%windir%\system\ehSched.exe
%windir%\system\IMG024.JPG.zip
"ehSched"="%Windows%\system\ehSched.exe"
delete this registry item first, and then delete these files after restarting:
%windir%\system\ehSched.exe
%windir%\system\IMG024.JPG.zip
Moonny replied on September 11, 2007 20:19
HiMeKeN Says :
September 10, 2007 23:55
What about if I open the zip, I saw it was a .exe file; and withot unzip it I deleted; then I cheked in the registry for the keys modifications and I dont have any, I am safe right ?
Yes, safe.
Moonny replied on September 11, 2007 14:08
dapp Says :
September 10, 2007 07:31
I got this but didn't open the file... what should i do about it???
-lol remember when you used to have your hair like this
-Check out my nice photo album. :D
-esa foto de tu y yo la voy a poner en myspace
-lol remember when you used to have your hair like this
-Check out my nice photo album. :D
-esa foto de tu y yo la voy a poner en myspace
do NOT open, SAFE for you. 
Moonny replied on September 10, 2007 17:59
Pages: 1/1 
1 
1
