images.zip,MyGallery5156.zip,img4851.zip
Setup.exe, Zhelatin new tactics
A Holland friend sent us a variant of MSN worm yesterday. Thanks.
The file name is "G038_jpg.zip". In the .zip file, it contains a .com file "www.G038_jpg-msn.com". Kaspersky detects it as Backdoor.Win32.IRCBot.aex. Be careful.
The details about this variant:
G038_jpg.zip (www.G038_jpg-msn.com)
Size: 435,200 bytes
MD5 hash: 3ede1801994c59b35b96aac2b13852d1
Detection: Backdoor.Win32.IRCBot.aex (Kaspersky)
Details:
(1) Drops files:
(2) Adds registry key:
Modifies registry key:
(3) Modify several registry entries and system files such as ftp.exe, tftp.exe, tcpip.sys.
(4) Sends messages:
HOW TO REMOVE
STEP 1
delete registry entry:
STEP 2
restart WINDOWS
STEP 3
delete virus files:
STEP 4
copy %System%\microsoft\backup.tftp to:
STEP 5
set registry data:
delete "SFCScan":
Last modified by smallmo onAugust 30, 2007 23:52
The file name is "G038_jpg.zip". In the .zip file, it contains a .com file "www.G038_jpg-msn.com". Kaspersky detects it as Backdoor.Win32.IRCBot.aex. Be careful.
The details about this variant:
G038_jpg.zip (www.G038_jpg-msn.com)
Size: 435,200 bytes
MD5 hash: 3ede1801994c59b35b96aac2b13852d1
Detection: Backdoor.Win32.IRCBot.aex (Kaspersky)
Details:
(1) Drops files:
%Windows%\G038_jpg.zip
%Windows%\CDSpeed.exe
%Windows%\CDSpeed.exe
(2) Adds registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CDSpeed.exe" = "%Windows%\CDSpeed.exe"
"CDSpeed.exe" = "%Windows%\CDSpeed.exe"
Modifies registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"SFCDisable"=dword:ffffff9d
"SFCScan"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
"WaitToKillServiceTimeout"="7000"
"SFCDisable"=dword:ffffff9d
"SFCScan"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
"WaitToKillServiceTimeout"="7000"
(3) Modify several registry entries and system files such as ftp.exe, tftp.exe, tcpip.sys.
(4) Sends messages:
dessa egentligen trevliga: P
gyckel mte se dig detta fotografera
du fick se detta dess galet :p
estes s realmente agradeis :P
wow voc?viu este?
como voc?gosta de me nesta foto
voc?comeu ver este seu assim engrado
Bu resimler nasil sence bir bakarmisin :)
su komik resimlerime baksana :D
bak :P
Kiz kardesim bunlari sana yollamami sledi ;)
bu resimler space in nasil
Space ime bun resimleri eklesem sence nasil olur
avete ottenuto vedere questo relativo cos?divertente
come lo pensate osservi qui sguardo di lol
a questo controllo di distorsione di velocit?questo fuori
el lol mi hermana quisiera que le enviara este bum de foto
vengo de fi este foto bum
ey i que hace el bum de foto!
Si vea el loL del em
l tipo, me acepta por favor su solamente bum de foto: (!
lol meine Schwester wscht mich Ihnen dieses Fotoalbum schicken
Geck, nehmen bitte sein nur mich Fotoalbum an: (!
he mhten mein neues Fotoalbum sehen?
hoe vind je dit er uit zien ?
hoe vind je dit ?
echt erg kijk dan
zo hee moet je dit zien echt niet normaal
zo moet je me hier op zien lol
lol he hoe vind je me hier op
eeeh c mes tof :p
c seulement mes tof de derniers vacances
tu dois voire les tof de notre bande
comment est-ce que je regarde sur cette photo ?
le lol ceci est dre
ma soeur a voulu que tu regarde ca
daut de la reproduction sonore avez-vous vu ceci ?
looooook :p
loooooooooooool :D
lol he looks weird on this photo
omg check this out man this is funny
lol you got to see this :P
gyckel mte se dig detta fotografera
du fick se detta dess galet :p
estes s realmente agradeis :P
wow voc?viu este?
como voc?gosta de me nesta foto
voc?comeu ver este seu assim engrado
Bu resimler nasil sence bir bakarmisin :)
su komik resimlerime baksana :D
bak :P
Kiz kardesim bunlari sana yollamami sledi ;)
bu resimler space in nasil
Space ime bun resimleri eklesem sence nasil olur
avete ottenuto vedere questo relativo cos?divertente
come lo pensate osservi qui sguardo di lol
a questo controllo di distorsione di velocit?questo fuori
el lol mi hermana quisiera que le enviara este bum de foto
vengo de fi este foto bum
ey i que hace el bum de foto!
Si vea el loL del em
l tipo, me acepta por favor su solamente bum de foto: (!
lol meine Schwester wscht mich Ihnen dieses Fotoalbum schicken
Geck, nehmen bitte sein nur mich Fotoalbum an: (!
he mhten mein neues Fotoalbum sehen?
hoe vind je dit er uit zien ?
hoe vind je dit ?
echt erg kijk dan
zo hee moet je dit zien echt niet normaal
zo moet je me hier op zien lol
lol he hoe vind je me hier op
eeeh c mes tof :p
c seulement mes tof de derniers vacances
tu dois voire les tof de notre bande
comment est-ce que je regarde sur cette photo ?
le lol ceci est dre
ma soeur a voulu que tu regarde ca
daut de la reproduction sonore avez-vous vu ceci ?
looooook :p
loooooooooooool :D
lol he looks weird on this photo
omg check this out man this is funny
lol you got to see this :P
HOW TO REMOVE
STEP 1
delete registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CDSpeed.exe"="%Windows%\CDSpeed.exe"
"CDSpeed.exe"="%Windows%\CDSpeed.exe"
STEP 2
restart WINDOWS
STEP 3
delete virus files:
%Windows%\G038_jpg.zip
%Windows%\CDSpeed.exe
%Windows%\CDSpeed.exe
STEP 4
copy %System%\microsoft\backup.tftp to:
%System%\tftp.exe
%System%\dllcache\tftp.exe
copy %System%\microsoft\backup.ftp to:%System%\dllcache\tftp.exe
%System%\ftp.exe
%System%\dllcache\ftp.exe
%System%\dllcache\ftp.exe
STEP 5
set registry data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"SFCDisable"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
"WaitToKillServiceTimeout"="20000"
"SFCDisable"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
"WaitToKillServiceTimeout"="20000"
delete "SFCScan":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"SFCScan"
"SFCScan"
Last modified by smallmo onAugust 30, 2007 23:52
This is the dutch translation. I dont know why people wants that, but this is it.
________________________________
Dit zijn de instructies in het Nederlands:
STAP 1
Start -> Uitvoeren
Typ: Regedit
Verwijder uit het register:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CDSpeed.exe"="%Windows%\CDSpeed.exe"
STAP 2
Restart WINDOWS
STAP 3
Verwijder de volgende virus bestanden:
%Windows%\G038_jpg.zip
%Windows%\CDSpeed.exe
%Windows% is meestal gewoon C:/Windows
STAP 4
kopieer %System%\microsoft\backup.tftp naar:
%System%\tftp.exe
%System%\dllcache\tftp.exe
kopieer %System%\microsoft\backup.ftp naar:
%System%\ftp.exe
%System%\dllcache\ftp.exe
STAP 5
Wijzig de volgende registrerdata:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"SFCDisable"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
"WaitToKillServiceTimeout"="20000"
Verwijder "SFCScan":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"SFCScan"
Klaar!
_____________________
________________________________
Dit zijn de instructies in het Nederlands:
STAP 1
Start -> Uitvoeren
Typ: Regedit
Verwijder uit het register:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CDSpeed.exe"="%Windows%\CDSpeed.exe"
STAP 2
Restart WINDOWS
STAP 3
Verwijder de volgende virus bestanden:
%Windows%\G038_jpg.zip
%Windows%\CDSpeed.exe
%Windows% is meestal gewoon C:/Windows
STAP 4
kopieer %System%\microsoft\backup.tftp naar:
%System%\tftp.exe
%System%\dllcache\tftp.exe
kopieer %System%\microsoft\backup.ftp naar:
%System%\ftp.exe
%System%\dllcache\ftp.exe
STAP 5
Wijzig de volgende registrerdata:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"SFCDisable"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
"WaitToKillServiceTimeout"="20000"
Verwijder "SFCScan":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"SFCScan"
Klaar!
_____________________
Thank you! 
Moonny replied on September 26, 2007 11:17
sophieBimbo Says :
September 10, 2007 23:09
im know nuts abt this..and i need help cos its getting annoying...anybody willing to guide me how i could remove this idiotic virus..?
appreciate much..
get back to me @ rastachic@gmail.com
appreciate much..
get back to me @ rastachic@gmail.com
maddie Says :
September 6, 2007 08:07
k i don't understand the steps.. how do you do number
one?
one?
"Start" menu -> "Run", input "REGDIT"
open registry editor
open registry editor
Moonny replied on September 6, 2007 09:20
anne Says : 
September 3, 2007 22:31
Im 12 but I don't understand
.
please help me.
I com from holland. please:'( big kiss anne
. please help me.
I com from holland. please:'( big kiss anne
Do you know "Registry Editor"?
or
You could download this tool:
http://www.cisrt.org/tools/SREngPS.EXE
use its "SmartScan" and save the details report SREngLOG, send the SREngLOG to me please: moonny@cisrt.com
or
You could download this tool:
http://www.cisrt.org/tools/SREngPS.EXE
use its "SmartScan" and save the details report SREngLOG, send the SREngLOG to me please: moonny@cisrt.com
Moonny replied on September 4, 2007 09:50
mariobros Says :
August 30, 2007 02:31
is this explanation there also in a Dutch version?
Morgoth Says :
August 30, 2007 02:09
Thanks.
I linked your guide into my site
I linked your guide into my site
Ngp Says :
August 29, 2007 08:36
Hi, i still cant do step 4 would yo tell me how please?
%System%\microsoft\backup.tftp
%System%\microsoft\backup.ftp
exist or not?
%System%\microsoft\backup.ftp
exist or not?
Moonny replied on August 29, 2007 09:47
h Says :
August 29, 2007 08:21
thanks man
"Thanks."
Your welcome :)
Your welcome :)
LLam Says :
August 29, 2007 02:56
ty a lot man!
www.chilled.hu
www.chilled.hu
Roy Says :
August 28, 2007 23:39
Hi, this is really a stupid worm.
Some friends already have the Worm, I linked them to this site so they can remove them, thanks.
Some friends already have the Worm, I linked them to this site so they can remove them, thanks.
Pages: 1/1 
1 
1
