Zhelatin changes themes again
MSN Worm Variants Keep active
It seems very crazy for MSN Worm today. We have received three variants, and one of them is spreading quickly in China now.
The file names we received now are "myphotos2007.zip" and "imgac157.zip". In the .zip files, it contains two .com files
Please be careful of these file names.
We decide to post these three variants details to help users remove these variants.
1. myphotos2007.zip
Size: 66,048 bytes
MD5 hash: 2326b3809bf23026c56468eafa86d093
Detection: Backdoor.Win32.IRCBot.acd (Kaspersky)
Drop files:
Adds registry key:
Sends messages:
2. imgac157.zip
Size: 81,408 bytes
133,120 bytes
MD5 hash: 3cc4dfe64efd52d43fa15d1fc3b86344
ce3fc839a0f34578dbdb854b2713aef5
Detection: 81,408 bytes — Backdoor.Win32.IRCBot.adi (Kaspersky)
133,120 bytes — Backdoor.Win32.IRCBot.adk (Kaspersky)
Drops files:
Adds registry key:
Creats a .bat file "a.bat" in the %SystemDriver%, try using this file to stop "Security Center" and "winvnc4" service.
Sends messages:
Chinese users can visit our CNblog: http://www.cisrt.org/blog/read.php?373
If you infected different samples, please send samples to newvirus@cisrt.com with .RAR or .ZIP file and add the password: virus
Update 11:25 p.m, Aug.22, 2007:
We upgrade our Threat Level from Low to Medium on 11:20 p.m, Aug.22, 2007, more and more users have received these variants. We warn all the users should be careful.
Update 1:00 p.m, Aug.26, 2007:
Our Threat Level returned Low on 1:00 p.m, Aug.26, 2007.
----------------------------------------
The detailed removal instructions can be visited next page.
Pages: [1] [2]
Last modified by smallmo onAugust 26, 2007 17:51
The file names we received now are "myphotos2007.zip" and "imgac157.zip". In the .zip files, it contains two .com files
DSC515607.jpg-www.pictureland.com
img1851.jpg-www.imagehosting.com
img1851.jpg-www.imagehosting.com
Please be careful of these file names.
We decide to post these three variants details to help users remove these variants.
1. myphotos2007.zip
Size: 66,048 bytes
MD5 hash: 2326b3809bf23026c56468eafa86d093
Detection: Backdoor.Win32.IRCBot.acd (Kaspersky)
Drop files:
%Windows%\myphotos2007.zip (contains "DSC515607.jpg-www.pictureland.com")
%System%\newsystem25.dll
%System%\newsystem25.dll
Adds registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"prodigy1"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\InProcServer32]
@="newsystem25.dll
("{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" is a random CLSID)
"prodigy1"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\InProcServer32]
@="newsystem25.dll
("{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" is a random CLSID)
Sends messages:
Qu?usted piensa de este cuadro?
Consegu?a nuevo cuadro de m?la toma una mirada
algunos cuadros de la semana pasada, consideran si usted tiene gusto en ellos.
tiene usted visto este picure todav?
Haha, es que usted? Debo utilizar este cuadro en msn?
Qu?usted piensa en esto?
Was denken Sie an diese?
was denken Sie an dieses picure? ich glaube, da?ich hlich schaue :/
sind hier eine neue
Abbildung von mir einige Abbildungen von der letzten Woche, sehen, wenn Sie sie men
Haha, diese sind Sie auf dieser Abbildung?
sollte ich diese Abbildung auf msn benutzen?
Was denken Sie an dieses?
Wat denkt u aan dit picure?
ik vind ik lelijk kijk
Een paar beelden van vorige week, zien of houdt u hier van em nieuwe pic van me. :)
Hebt u dit picure nog gezien?:p
Hebt u dit picure nog gezien? :p
Haha, bent u dat op dat beeld? :)
Zou ik dit beeld op msn moeten gebruiken?
Wat denkt u over dit?
que pensez-vous ?ce picure ? je me sens que je semble laid :/
Voici un nouveau pic de moi
Quelques images de la semaine dernie, voient si vous les aimez
Avez-vous vu ce picure encore ?
Haha, est-vous ce sur cette image ?
Si j'emploient cette image sur le msn ?
Que pensez-vous ?mon image ?
What do you think of this picure? i feel i look ugly :/
Here's a new pic of me
some pictures from my holyday :p
have u seen this picture? if not, se ..
Haha, is that you on that picture?
lol, picture off a friend naked, just found it on a web site, do you know here?
How do i look at this picture?<
Consegu?a nuevo cuadro de m?la toma una mirada
algunos cuadros de la semana pasada, consideran si usted tiene gusto en ellos.
tiene usted visto este picure todav?
Haha, es que usted? Debo utilizar este cuadro en msn?
Qu?usted piensa en esto?
Was denken Sie an diese?
was denken Sie an dieses picure? ich glaube, da?ich hlich schaue :/
sind hier eine neue
Abbildung von mir einige Abbildungen von der letzten Woche, sehen, wenn Sie sie men
Haha, diese sind Sie auf dieser Abbildung?
sollte ich diese Abbildung auf msn benutzen?
Was denken Sie an dieses?
Wat denkt u aan dit picure?
ik vind ik lelijk kijk
Een paar beelden van vorige week, zien of houdt u hier van em nieuwe pic van me. :)
Hebt u dit picure nog gezien?:p
Hebt u dit picure nog gezien? :p
Haha, bent u dat op dat beeld? :)
Zou ik dit beeld op msn moeten gebruiken?
Wat denkt u over dit?
que pensez-vous ?ce picure ? je me sens que je semble laid :/
Voici un nouveau pic de moi
Quelques images de la semaine dernie, voient si vous les aimez
Avez-vous vu ce picure encore ?
Haha, est-vous ce sur cette image ?
Si j'emploient cette image sur le msn ?
Que pensez-vous ?mon image ?
What do you think of this picure? i feel i look ugly :/
Here's a new pic of me
some pictures from my holyday :p
have u seen this picture? if not, se ..
Haha, is that you on that picture?
lol, picture off a friend naked, just found it on a web site, do you know here?
How do i look at this picture?<
2. imgac157.zip
Size: 81,408 bytes
133,120 bytes
MD5 hash: 3cc4dfe64efd52d43fa15d1fc3b86344
ce3fc839a0f34578dbdb854b2713aef5
Detection: 81,408 bytes — Backdoor.Win32.IRCBot.adi (Kaspersky)
133,120 bytes — Backdoor.Win32.IRCBot.adk (Kaspersky)
Drops files:
%Windows%\imgac157.zip (contains "img1851.jpg-www.imagehosting.com")
%Windows%\winpo32.exe
%Windows%\winpo32.exe
Adds registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows Population Logger"="winpo32.exe"
"Windows Population Logger"="winpo32.exe"
Creats a .bat file "a.bat" in the %SystemDriver%, try using this file to stop "Security Center" and "winvnc4" service.
@echo off
net stop "Security Center"
net stop winvnc4
del c:\a.bat
net stop "Security Center"
net stop winvnc4
del c:\a.bat
Sends messages:
OMG I broken my foot, look!
Is this you?
Accept dis picture homie
Hahahahahahahaha
look @ my new car
Look @ my new house
Did you see this picture of Paris Hilton?
OMG, this picture is so sad :(
Look how cute we look in this picture?
Should I tag you in this picture?
Hey, check out my new picture
Are you going to accept this?
Look at this image!!!
LoL, have you seen this?
Hi, did you see this picture from our summer?
Is this you?
Accept dis picture homie
Hahahahahahahaha
look @ my new car
Look @ my new house
Did you see this picture of Paris Hilton?
OMG, this picture is so sad :(
Look how cute we look in this picture?
Should I tag you in this picture?
Hey, check out my new picture
Are you going to accept this?
Look at this image!!!
LoL, have you seen this?
Hi, did you see this picture from our summer?
Chinese users can visit our CNblog: http://www.cisrt.org/blog/read.php?373
If you infected different samples, please send samples to newvirus@cisrt.com with .RAR or .ZIP file and add the password: virus
Update 11:25 p.m, Aug.22, 2007:
We upgrade our Threat Level from Low to Medium on 11:20 p.m, Aug.22, 2007, more and more users have received these variants. We warn all the users should be careful.
Update 1:00 p.m, Aug.26, 2007:
Our Threat Level returned Low on 1:00 p.m, Aug.26, 2007.
----------------------------------------
The detailed removal instructions can be visited next page.
Pages: [1] [2]
Last modified by smallmo onAugust 26, 2007 17:51
hj Says :
August 24, 2007 17:01
how do I know if my computor isn't effected by imgac157.zip/winpo32.exe??
hj Says :
August 24, 2007 16:59
way go MOony I found the file. It can also be in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad in Postboot or
Syntask. DELETE ALL OF THOSE TWO FILES!! then your free of myphotos2007.zip!!
Syntask. DELETE ALL OF THOSE TWO FILES!! then your free of myphotos2007.zip!!
nat Says :
August 24, 2007 16:35
I went there to the first file but still can't simd prodigy, where else could it be ?HELP!!
You may download this tool:
http://www.cisrt.org/tools/SREngPS.EXE
"Smart Scan", and save the details report SREngLOG.LOG.
Please send the LOG file to me: moonny@cisrt.com
http://www.cisrt.org/tools/SREngPS.EXE
"Smart Scan", and save the details report SREngLOG.LOG.
Please send the LOG file to me: moonny@cisrt.com
Moonny replied on August 24, 2007 16:50
sze Says :
August 24, 2007 11:14
hi! i deleted the prodigy1 fle before noting down the CLSID, so now i have no idea what it is! therefore i cant carry out the step to delete [HKEY_CLASSES_ROOT\CLSID\{the same CLSID}\InProcServer32]
HELP ME!! =(
HELP ME!! =(
newbie123 Says : 
August 24, 2007 06:34
s this method completey removes the file? im crap on viruses so bare with me. i've seen other sites using hijack methods and downloading some programs in forums which one is better that or this?
Ashley Says :
August 24, 2007 04:11
I just received this myphotos2007.zip from one of my msn contacts
message read: What do you think of this picure? i feel i look ugly :/
Beware! :)
message read: What do you think of this picure? i feel i look ugly :/
Beware! :)
Ranier Says :
August 23, 2007 23:09
where are
%Windows%\imgac157.zip
%Windows%\winpo32.exe
%Windows%\imgac157.zip
%Windows%\winpo32.exe
%Windows%, is the WINDOWS folder, such as:
C:\WINDOWS (9x,XP,2003)
C:\WINNT (Nt,2000)
C:\WINDOWS (9x,XP,2003)
C:\WINNT (Nt,2000)
Moonny replied on August 24, 2007 00:07
Nat Says :
August 23, 2007 19:46
where is prodigy1"="{CLSID}"?
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
right pane
right pane
Moonny replied on August 23, 2007 20:09
Nat Says :
August 23, 2007 19:25
where is the registry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"prodigy1"="{CLSID?
My computer is really infected please answer me!!
"prodigy1"="{CLSID?
My computer is really infected please answer me!!
START menu -> Run -> REGEDIT
open the registry editor
open the registry editor
Moonny replied on August 23, 2007 20:09
Ranier Says :
August 23, 2007 18:41
where is the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Population Logger"="winpo32.exe"
pls help me pls pls pls pls pls pls
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Population Logger"="winpo32.exe"
pls help me pls pls pls pls pls pls
START menu -> Run -> REGEDIT
open the registry editor
open the registry editor
Moonny replied on August 23, 2007 20:09
Namenick Says :
August 23, 2007 11:25
I have a similar question to Mujo's...i accepted the file, unzipped it, then renamed it to .jpg instead of .com and then ran it via ACDsee...am i infected? cause i cant really seem to find any traces of it
NOT be infected. :)
Moonny replied on August 23, 2007 13:26
I made an app that will do the jub for you . It is for both imgac157.zip and myphotos2007.zip.
Download it from >
http://sneleni.users.sbb.co.yu/msn_worm_remover_[mwr].exe
@Mujo: No it is not, but if you can look at your Message History and see if "you" sent files with names mentioned above in solution.
. It is for both imgac157.zip and myphotos2007.zip.Download it from >
http://sneleni.users.sbb.co.yu/msn_worm_remover_[mwr].exe
@Mujo: No it is not, but if you can look at your Message History and see if "you" sent files with names mentioned above in solution.
Mujo Says :
August 23, 2007 10:44
I have a question here, I accepted mine but did not open it so has it been activated ?
For imgac157.zip/winpo32.exe
I can not find registry key mentioned above, BUT he was hidding in > [HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsMSConfigstartupregWindows Population Logger]
Delete entire Registry Key with all values !!!
P.S. Files like [winpo32.exe] and [imgac157.zip] will be at yours windows installation dir like [c:\windows].
Good luck m8s !!!
I can not find registry key mentioned above, BUT he was hidding in > [HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsMSConfigstartupregWindows Population Logger]
Delete entire Registry Key with all values !!!
P.S. Files like [winpo32.exe] and [imgac157.zip] will be at yours windows installation dir like [c:\windows].
Good luck m8s !!!
maybe run MSCONFIG before
Moonny replied on August 23, 2007 09:48
ozzy Says :
August 23, 2007 05:22
hi moonny ,my friends can't find those files and i already delete another file imgac157 that has been activated likw an hour ago but these files that you said like %Windows%imgac157.zip
%Windows%winpo32.exe we can't find them pls help!!!
%Windows%winpo32.exe we can't find them pls help!!!
"another file imgac157", the location is...?
The attribute of winpo32.exe is SHR.
The attribute of winpo32.exe is SHR.
Moonny replied on August 23, 2007 09:47
Pages: 1/2 
1 2 
1 2
