Content
W32/Checkout!4F51845B
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 07/31/2007
- Length
- 705,315
- Minimum DAT
- 5089 (08/02/2007)
- Updated DAT
- 5089 (08/02/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 07/31/2007
- Description Modified
- 07/31/2007 10:37 PM (PT)
Tab Navigation
Characteristics
This is a worm spread via MSN Messenger.
W32/Checkout!4F51845B has the following attributes:
File size: 705,315 bytes
MD5: 54423AAB6C78C886954E4DED6740DA21
CRC32: 4F51845B
Upon execution, the worm attempts to access one of the following sites to retrieve IP address of the victim machine.
- http://check.ip.dyndns.org
- http://whatismyip.com
It looks for the processes "msnmsr.exe" and attempts to send the following message to contact list recipients.
Windows Messenger Buddy List Check.
Windows Messenger will now start a general routine messure which keeps our servers clean from hackers. This routine checking system can take up to 5 minutes.
Thank you for your patience.
- Microsoft Service TeamIMPORTANT NOTICE: Keyboard/Mouse Input is blocked during this check.
Once it sends the message, it displays one of the following messages.
---
Windows Messenger Buddy List Check Finished!
<NUMBER spammed users of>users in your list are used for prohibited hacking activities and therefor reported to the police.Thank you for your understanding.
- Microsoft Service Team---
Windows Messenger Buddy List Check Finished!
1 of <NUMBER spammed users of>user(s) in your list are used for prohibited hacking activities and therefor removed.
Thank you for your understanding.
- Microsoft Service Team
It also sends the following message.
OMG LoL regarde ste cam la http://www.[removed].com/webcam/livecam1.com :D
Symptoms
Upon execution, the worm drops the following file.
- c:\WINDOWS\windebug.log
It terminates the process "taskmgr.exe"
Method of Infection
The worm spreads via MSN Messenger.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This detection is for a worm which is capable of spreading through MSN Messenger.
Aliases
- Trojan.Win32.Autoit.ar (Kaspersky)
- W32.Imaut (Symantec)
- W32/IrcBot.BAW.worm (Panda)
Characteristics
Characteristics -
This is a worm spread via MSN Messenger.
W32/Checkout!4F51845B has the following attributes:
File size: 705,315 bytes
MD5: 54423AAB6C78C886954E4DED6740DA21
CRC32: 4F51845B
Upon execution, the worm attempts to access one of the following sites to retrieve IP address of the victim machine.
- http://check.ip.dyndns.org
- http://whatismyip.com
It looks for the processes "msnmsr.exe" and attempts to send the following message to contact list recipients.
Windows Messenger Buddy List Check.
Windows Messenger will now start a general routine messure which keeps our servers clean from hackers. This routine checking system can take up to 5 minutes.
Thank you for your patience.
- Microsoft Service TeamIMPORTANT NOTICE: Keyboard/Mouse Input is blocked during this check.
Once it sends the message, it displays one of the following messages.
---
Windows Messenger Buddy List Check Finished!
<NUMBER spammed users of>users in your list are used for prohibited hacking activities and therefor reported to the police.Thank you for your understanding.
- Microsoft Service Team---
Windows Messenger Buddy List Check Finished!
1 of <NUMBER spammed users of>user(s) in your list are used for prohibited hacking activities and therefor removed.
Thank you for your understanding.
- Microsoft Service Team
It also sends the following message.
OMG LoL regarde ste cam la http://www.[removed].com/webcam/livecam1.com :D
Symptoms
Symptoms -
Upon execution, the worm drops the following file.
- c:\WINDOWS\windebug.log
It terminates the process "taskmgr.exe"
Method of Infection
Method of Infection -
The worm spreads via MSN Messenger.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A