Zhelatin.pd, stripshow.exe
eCard.zip, Merry Christmas
We received some reports that a .zip file "chirstmas-2007.zip" was spreading via MSN Messenger. This worm also sends out the following message:
In the .zip file, it contains a double extension file "img2007-12.JPEG.scr". The size is 56,065 bytes, MD5 hash is 0c222d6191212a52ae70a8283eb7c316. Kaspersky detects it as IM-Worm.Win32.Agent.av.
Upon execution, it drops the following files:
It creats the following registry:
Update 12:10 p.m. Dec.26,2007:
Mcafee detects this worm as W32/Checkout!0e4a3c52
Last modified by smallmo onDecember 26, 2007 12:10
Christmas photo! :D
vengo de fi este foto
lbum
Hey i que hace el
lbum de foto! Si vea el loL del em
xmas photo!: D
haha :D
lol, christmas pictures off me
hola, My Christmas picture for you :)
vengo de fi este foto
lbum
Hey i que hace el
lbum de foto! Si vea el loL del em
xmas photo!: D
haha :D
lol, christmas pictures off me
hola, My Christmas picture for you :)
In the .zip file, it contains a double extension file "img2007-12.JPEG.scr". The size is 56,065 bytes, MD5 hash is 0c222d6191212a52ae70a8283eb7c316. Kaspersky detects it as IM-Worm.Win32.Agent.av.
Upon execution, it drops the following files:
%Windows%\chirstmas-2007.zip
%Windows%\servidevice.exe
%Windows%\servidevice.exe
It creats the following registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ryan1918" = "servidevice.exe"
"ryan1918" = "servidevice.exe"
Update 12:10 p.m. Dec.26,2007:
Mcafee detects this worm as W32/Checkout!0e4a3c52
Last modified by smallmo onDecember 26, 2007 12:10
caii Says : 
December 26, 2007 09:08
Thank you very much.
Btw, you should not remove the copyright information of Bo-Blog.
Btw, you should not remove the copyright information of Bo-Blog.
Pages: 1/1 
1 
1
