Content
W32/Checkout!129452F6
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 07/30/2007
- Length
- 52,736 bytes
- Minimum DAT
- 5087 (07/31/2007)
- Updated DAT
- 5087 (07/31/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 07/30/2007
- Description Modified
- 07/30/2007 3:29 AM (PT)
Tab Navigation
Characteristics
This worm spreads via MSN Messenger. When installed, it sends one or more of the below messages to contact list recipients and send a malicious zip file named myalbum2007.zip (~52 KB).
Older DATs may detect this threat as "W32/IRCbot.worm.gen.o".
This worm attempts to detect the infected system's language settings and send instant messages with the corresponding language, and zip attachment.
English:
- Here are my very secret pictures for you.
- Here are my pictures from my vacation
- hmm is this you on the photo ?
- Check out my pics from my workplace.
- Nice new photos of me and my friends and stuff...
- ahh look this is my greatest picture made on vacation 2007, take a look
- Check out my nice photo album. :D
French:
- hey regarde les tof de notre bande de fous. :p
- hey c'est toi dans ces tof!!???
- hey regarde les tof, c'est moi et mes copains entrain de.... :D
- j'ai fais pour toi cet album de photos tu dois le voire :p
- stp regarde cet album de photos je lai fais specialement pour toi et mes amis...
- mes photos chaudes :D
- t'as pas encore vu ces tof???
Belarusian:
- hey bekijk eens mijn nieuwe foto album
- hey kijk eens naar mijn nieuwe foto alb
- hmm ben jij dit op de foto ?
- hey kijk ! dit is een lijst van mijn nieuwste fotos !!
- ahh kijk mijn mooiste foto album van vakantie 2007 bekijk ze eens :p
- kijk dit zijn fotos van mij werkplek! :)
- hmm ben jij dit op de foto ?
German:
- meine hei en Fotos ! :p
Italian:
- le mie foto calde :p
Spanish:
- mis fotos calientes
- mi fotograf
- Mi amigo tom
- las fotos agradables de m
- mis fotos calientes
- el lol mi hermana quisiera que le enviara este
- lbum de foto
Upon execution, it creates a copy of itself into the Windows folder and also drop a DLL file:
- %WINDIR%\myalbum2007.zip
- %WINDIR%\system32\sysprinters.dll
(Where %WINDIR% is the Windows folder; e.g. C:\Windows)
Adds the following values to the registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{Class ID (random)}\InProcServer32 = "sysprinters.dll"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\syshosts
The worm connects to an IRC server at www.free{blocked}people.net
Symptoms
- Presence of the files/registry keys mentioned.
- Unexpected network connection to the associated site(s).
- MSN contacts receiving one of the messages with zip attachment.
Method of Infection
This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file .Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
This detection is for a worm which is capable of spreading through MSN Messenger.
Older DATs may detect this threat as "W32/IRCbot.worm.gen.o"
Aliases
- Backdoor.Win32.IRCBot.acd (Kaspersky)
- W32.SillyIRC (Symantec)
Characteristics
Characteristics -
This worm spreads via MSN Messenger. When installed, it sends one or more of the below messages to contact list recipients and send a malicious zip file named myalbum2007.zip (~52 KB).
Older DATs may detect this threat as "W32/IRCbot.worm.gen.o".
This worm attempts to detect the infected system's language settings and send instant messages with the corresponding language, and zip attachment.
English:
- Here are my very secret pictures for you.
- Here are my pictures from my vacation
- hmm is this you on the photo ?
- Check out my pics from my workplace.
- Nice new photos of me and my friends and stuff...
- ahh look this is my greatest picture made on vacation 2007, take a look
- Check out my nice photo album. :D
French:
- hey regarde les tof de notre bande de fous. :p
- hey c'est toi dans ces tof!!???
- hey regarde les tof, c'est moi et mes copains entrain de.... :D
- j'ai fais pour toi cet album de photos tu dois le voire :p
- stp regarde cet album de photos je lai fais specialement pour toi et mes amis...
- mes photos chaudes :D
- t'as pas encore vu ces tof???
Belarusian:
- hey bekijk eens mijn nieuwe foto album
- hey kijk eens naar mijn nieuwe foto alb
- hmm ben jij dit op de foto ?
- hey kijk ! dit is een lijst van mijn nieuwste fotos !!
- ahh kijk mijn mooiste foto album van vakantie 2007 bekijk ze eens :p
- kijk dit zijn fotos van mij werkplek! :)
- hmm ben jij dit op de foto ?
German:
- meine hei en Fotos ! :p
Italian:
- le mie foto calde :p
Spanish:
- mis fotos calientes
- mi fotograf
- Mi amigo tom
- las fotos agradables de m
- mis fotos calientes
- el lol mi hermana quisiera que le enviara este
- lbum de foto
Upon execution, it creates a copy of itself into the Windows folder and also drop a DLL file:
- %WINDIR%\myalbum2007.zip
- %WINDIR%\system32\sysprinters.dll
(Where %WINDIR% is the Windows folder; e.g. C:\Windows)
Adds the following values to the registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{Class ID (random)}\InProcServer32 = "sysprinters.dll"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\syshosts
The worm connects to an IRC server at www.free{blocked}people.net
Symptoms
Symptoms -
- Presence of the files/registry keys mentioned.
- Unexpected network connection to the associated site(s).
- MSN contacts receiving one of the messages with zip attachment.
Method of Infection
Method of Infection -
This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file .Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
