Content

W32/Checkout

Type
Virus
SubType
Internet Worm
Discovery Date
06/04/2007
Length
Varies
Minimum DAT
5045 (06/04/2007)
Updated DAT
5489 (01/08/2009)
Minimum Engine
5.1.00
Description Added
06/04/2007
Description Modified
03/09/2008 11:43 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

 -- Update March 10, 2008 -- 

The worm now spreads via an IM message "Hey this really looks alot like u" and contains a link. Clicking on the link will display an image and install the worm.

The following files are added:

  • %WINDIR%\admintxt.txt
  • %WINDIR%\live.messenger.com

A temporary file is written and injected as a DLL into explorer.exe:

  • %USERTEMP%\{random directory name}\{random}.tmp

(where %WINDIR% is the Windows directory, e.g. C:\Windows, %USERTEMP% is the user's temporary directory, e.g. C:\Documents and Settings\username\Local Setting\Temp)

The following registry entry is modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSN Messenger: "live.messenger.com"

The worm will then initiates a IRC connection to:

  • customer201-216-[removed].iplannetworks.net

It will also download additional malware via the following URLs:

  • http://193.227.[removed]/cntr/logo_bar.gif
  • http://89.18.[removed]/incal/aqua3d.dll

 -- Update June 4, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.shanghaidaily.com/sp/article/2007/200706/20070602/article_318161.htm

--

This worm spreads via MSN Messenger . When installed, it sends the following message to contact list recipients and send a zip file named photos.zip (~468 KB).

  • Here are my private pictures for you
  • Here are my pictures from my vacation
  • My friend took nice photos of me.you Should see em loL!
  • its only my photos!
  • Nice new photos of me and my friends and stuff and when i was young lol...
  • Nice new photos of me!! :p
  • Check out my sexy boobs :D
  • hey regarde mes tof!! :p
  • ma soeur a voulu que tu regarde ca!
  • j'ai fais pour toi ce photo album tu dois le voire :)
  • tu dois voire ces tof mes photos chaudes :D
  • c'est seulement mes tof :p
  • hey regarde les tof, c'est moi et mes copains entrain de.... :D
  • zijn enige mijn foto's wanna
  • Hey ziet mijn nieuw fotoalbum?
  • Hey beindigde enkel nieuw fotoalbum! :)
  • hey keurt mijn nieuw fotoalbum goed.. :p
  • het voor yah, doend beeldverhaal van mijn leven lol..

Upon execution, it creates a copy of itself into the Windows folder and also drop a DLL file:

  • %WINDIR%\photos.zip
  • %WINDIR%\system32\syshosts.dll

(Where %WINDIR% is the Windows folder; e.g. C:\Windows)

Adds the following values to the registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B18FDF1D-4FBB-411D-9C59-AAFA7D4998E0}\InProcServer32\: "syshosts.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\syshosts: "{B18FDF1D-4FBB-411D-9C59-AAFA7D4998E0}"

The worm connects to an IRC channel on the {blocked}.free8.biz domain.

 

Symptoms

  • Presence of the files/registry keys mentioned.
  • Unexpected network connection to the associated site(s).
  • MSN contacts receiving one of the messages with zip attachment.

Method of Infection

This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a worm which is capable of spreading through MSN.

Aliases

  • Backdoor.Win32.IRCBot.aaq (Kaspersky)
  • W32.Mubla (Symantec)

Characteristics

Characteristics -

 -- Update March 10, 2008 -- 

The worm now spreads via an IM message "Hey this really looks alot like u" and contains a link. Clicking on the link will display an image and install the worm.

The following files are added:

  • %WINDIR%\admintxt.txt
  • %WINDIR%\live.messenger.com

A temporary file is written and injected as a DLL into explorer.exe:

  • %USERTEMP%\{random directory name}\{random}.tmp

(where %WINDIR% is the Windows directory, e.g. C:\Windows, %USERTEMP% is the user's temporary directory, e.g. C:\Documents and Settings\username\Local Setting\Temp)

The following registry entry is modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSN Messenger: "live.messenger.com"

The worm will then initiates a IRC connection to:

  • customer201-216-[removed].iplannetworks.net

It will also download additional malware via the following URLs:

  • http://193.227.[removed]/cntr/logo_bar.gif
  • http://89.18.[removed]/incal/aqua3d.dll

 -- Update June 4, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.shanghaidaily.com/sp/article/2007/200706/20070602/article_318161.htm

--

This worm spreads via MSN Messenger . When installed, it sends the following message to contact list recipients and send a zip file named photos.zip (~468 KB).

  • Here are my private pictures for you
  • Here are my pictures from my vacation
  • My friend took nice photos of me.you Should see em loL!
  • its only my photos!
  • Nice new photos of me and my friends and stuff and when i was young lol...
  • Nice new photos of me!! :p
  • Check out my sexy boobs :D
  • hey regarde mes tof!! :p
  • ma soeur a voulu que tu regarde ca!
  • j'ai fais pour toi ce photo album tu dois le voire :)
  • tu dois voire ces tof mes photos chaudes :D
  • c'est seulement mes tof :p
  • hey regarde les tof, c'est moi et mes copains entrain de.... :D
  • zijn enige mijn foto's wanna
  • Hey ziet mijn nieuw fotoalbum?
  • Hey beindigde enkel nieuw fotoalbum! :)
  • hey keurt mijn nieuw fotoalbum goed.. :p
  • het voor yah, doend beeldverhaal van mijn leven lol..

Upon execution, it creates a copy of itself into the Windows folder and also drop a DLL file:

  • %WINDIR%\photos.zip
  • %WINDIR%\system32\syshosts.dll

(Where %WINDIR% is the Windows folder; e.g. C:\Windows)

Adds the following values to the registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B18FDF1D-4FBB-411D-9C59-AAFA7D4998E0}\InProcServer32\: "syshosts.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\syshosts: "{B18FDF1D-4FBB-411D-9C59-AAFA7D4998E0}"

The worm connects to an IRC channel on the {blocked}.free8.biz domain.

 

Symptoms

Symptoms -

  • Presence of the files/registry keys mentioned.
  • Unexpected network connection to the associated site(s).
  • MSN contacts receiving one of the messages with zip attachment.

Method of Infection

Method of Infection -

This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A