Backdoor.MSNMaker variant
New variant of IRCBot.aaq
We receive some reports that a file "photo album.zip" is spreading quickly via MSN messenger now. We have confirmed that it is a variant of Backdoor.Win32.IRCBot. If someone receives messages via MSN as following,please don't open it.
In the .zip file, there is a file "photo album2007.pif", 18,944 bytes, packed with UPX, Kaspersky detects it as Backdoor.Win32.IRCBot.aaq.
Upon execution, this ircbot drops a copy.
And drops a .dll file, inserts this .dll file into Explorer.exe.
Connects a IRC channel:
Our analyst Moonny has posted a detailed report in Chinese.
Update 6:55 p.m, Mar.27, 2007:
Added a new variant: New variant of IRCBot.aaq
Update 6:50 p.m, Apr.3, 2007:
Added a new variant: The third variant of IRCBot.aaq
Update 7:00 p.m, July.2, 2007:
Added a new variant (myalbum2007.zip): IRCBot.acd spreads via MSN
Last modified by smallmo onJuly 2, 2007 22:30
HEY lol i've done a new photo album !:) Second ill find file and send you it.
Hey wanna see my new photo album?
Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
Hey just finished new photo album! :) might be a few nudes ;) lol...
hey you got a photo album? anyways heres my new photo album :) accept k?
hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..
Hey wanna see my new photo album?
Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
Hey just finished new photo album! :) might be a few nudes ;) lol...
hey you got a photo album? anyways heres my new photo album :) accept k?
hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..
In the .zip file, there is a file "photo album2007.pif", 18,944 bytes, packed with UPX, Kaspersky detects it as Backdoor.Win32.IRCBot.aaq.
Upon execution, this ircbot drops a copy.
%windows%\photo album.zip
And drops a .dll file, inserts this .dll file into Explorer.exe.
%system%\rdshost.dll
Connects a IRC channel:
darkjester.xplosionirc.net
Our analyst Moonny has posted a detailed report in Chinese.
Update 6:55 p.m, Mar.27, 2007:
Added a new variant: New variant of IRCBot.aaq
Update 6:50 p.m, Apr.3, 2007:
Added a new variant: The third variant of IRCBot.aaq
Update 7:00 p.m, July.2, 2007:
Added a new variant (myalbum2007.zip): IRCBot.acd spreads via MSN
Last modified by smallmo onJuly 2, 2007 22:30
qdf Says : 
May 30, 2008 04:45
help please Says :
February 12, 2008 05:57
HELP!!!
i have the same virus..with the photo album
i cant seem to get rid of it
i cant find those files in regedit
there is this notepad document named msn.log
it keeps remaking itself after i delete it and its definately to do with the virus
i have the same virus..with the photo album
i cant seem to get rid of it
i cant find those files in regedit
there is this notepad document named msn.log
it keeps remaking itself after i delete it and its definately to do with the virus
LO Says :
November 5, 2007 11:29
What is it am I supposed to do to get rid of this Virus?
eryz Says :
August 25, 2007 10:19
And one more thing, i tried all the methods in this forum, such as:
System restore (the com says that restoration was incomplete nomatter wat date i restore at)
rdchost.dll (keeps reproducing itself! OMFG!)
rdihost.dll (cannot find it anywhere!)
Scanning using Norton (idiotic norton says evrything was alrite! Norton sux!)
Scan using Avast (currently scanning, using the scanner from this link http://www.avast.com/eng/down_cleaner.html)
Went to http://billys-recondite-ramblings.blogspot.com/2007/04/msn-photo-album-virus.html (cannot work)
And still the problem is there! HELLLLLLLLLPPPPPP!!!!
And as to quote LP : "WHO EVER CAME UP WITH THIS VIRUS IS ONE SICK SON OF A BITCH, BLOODY BASTARD. sigh~ bloody jobless motherfuckers."
System restore (the com says that restoration was incomplete nomatter wat date i restore at)
rdchost.dll (keeps reproducing itself! OMFG!)
rdihost.dll (cannot find it anywhere!)
Scanning using Norton (idiotic norton says evrything was alrite! Norton sux!)
Scan using Avast (currently scanning, using the scanner from this link http://www.avast.com/eng/down_cleaner.html)
Went to http://billys-recondite-ramblings.blogspot.com/2007/04/msn-photo-album-virus.html (cannot work
)And still the problem is there! HELLLLLLLLLPPPPPP!!!!
And as to quote LP : "WHO EVER CAME UP WITH THIS VIRUS IS ONE SICK SON OF A BITCH, BLOODY BASTARD. sigh~ bloody jobless motherfuckers."
eryz Says :
August 25, 2007 09:48
I think i got the latest version of the msn photoalbum virus.
Now it is called mjd,zip, and it says this when iit is sent:
"a new picture off me and mjd" or
"hmm, is that me and you? got the picture from mjd, yo mamma is so fat, look at this picture" or
the one which i got when i 1st opened it : "lol, thats mjd."
SOMEONE PLS HELP!
Now it is called mjd,zip, and it says this when iit is sent:
"a new picture off me and mjd" or
"hmm, is that me and you? got the picture from mjd, yo mamma is so fat, look at this picture" or
the one which i got when i 1st opened it : "lol, thats mjd."
SOMEONE PLS HELP!
Could you send the file "mjd.zip" to me?
Please compress files in .RAR or .ZIP file and add the password: virus
Email: moonny@cisrt.com or newvirus@cisrt.com
Thanks.
Please compress files in .RAR or .ZIP file and add the password: virus
Email: moonny@cisrt.com or newvirus@cisrt.com
Thanks.
Moonny replied on August 25, 2007 13:03
Braingasim Says :
August 24, 2007 04:02
%SystemRoot%\system32\restore\rstrui.exe just do a restore to before you got it.
Sue Says :
August 21, 2007 12:26
There's a trojan in the file that's billy is passing around as a cure. Suggest you try using other remedies.
LP Says :
August 14, 2007 02:19
WHO EVER CAME UP WITH THIS VIRUS IS ONE SICK SON OF A BITCH, BLOODY BASTARD. sigh~ bloody jobless motherfuckers. anyways. whtz the remedy for this? thanx for the people who have been helping us out, really apprecite it. tc
cheers
cheers
Yan Says :
August 11, 2007 17:27
Gives supdog101 a big tray fo freshly baked cookies~!
Thank you~! <3~ You are my life savior~!
How could I ever thank you?
<3~
Thank you~! <3~ You are my life savior~!
How could I ever thank you?
<3~
jo Says :
August 10, 2007 15:14
i already deleted photoalbum2007.zip thing and i deleted rdchost.dll but that one keeps reproducing!!
i cant find rdihost.dll can someone PLEASE help me ><
i cant find rdihost.dll can someone PLEASE help me ><
cincity Says :
August 10, 2007 10:51
The regedit value might appear as "syshelps". And in the C:\Windows\system32\systesrt32.dll. Removing them and the .zip file should help.
Louise Says :
August 8, 2007 08:12
thanks supdog101 - i went to the site and followed the instructions - fingers crossed it looks like the msn virus has gone, AVG has just detected 4 virus which i think i recieved due to this msn Trojan virus which allowed others to infect my pc.... SUPDOG101 thank you x
W~ Says :
August 2, 2007 13:33
new variant: Backdoor.Win32.IRCBot.acu
same as above, additional different numbers added to end of zip file: photo_album234.zip
Unknown differences of infection.
same as above, additional different numbers added to end of zip file: photo_album234.zip
Unknown differences of infection.
camy Says :
August 2, 2007 00:03
I TRIED WHAT SUPERDOG 101 SAID AND IT STILL DONT WORK HELP!!
Elsje Says :
July 5, 2007 13:30
Another way that works: go to google and write "Avast", one of the best free anti-virus scans. You will only have to register and then it's free for 1 year, otherwise it's only free for 60 days -.-
Pages: 1/6 
1 2 3 4 5 6 
1 2 3 4 5 6
