Content

W32/Checkout!0e4a3c52

Type
Virus
SubType
Internet Worm
Discovery Date
12/25/2007
Length
56,065 bytes
Minimum DAT
5193 (12/26/2007)
Updated DAT
5365 (08/20/2008)
Minimum Engine
5.1.00
Description Added
12/25/2007
Description Modified
12/28/2007 10:44 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update December 26, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.cnetnews.com.cn/2007/1225/690433.shtml

This detecion is for a variant of the W32/Checkout worm which was found spreading through MSN Messenger during Christmas day.

When installed, it sends the following message to contact list recipients and send a zip file named Christmas-2007.zip (~56 KB):

  • Christmas photo! :D
  • vengo de fi este foto ßlbum
  • Hey i que hace el ßlbum de foto! Si ve a el loL del em  
  • xmas photo!: D 
  • haha :D lol, christmas pictures off me 
  • hola, My Christmas picture for you :)

It creates a copy of itself into the Windows folder:

  • %Windir%\Christmas-2007.zip (W32/Checkout)
  • %Windir%\Servidevice.exe (W32/Checkout)

Christmas-2007.zip unzips to a img2007-12.JPEG.scr file which is detected as W32/Checkout.

It will also create the following registry keys to hook system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\"ryan1918" = "servidevice.exe"

This worm conntacts to an IRC channel on the {blocked}.bindshell.info domain.

Symptoms

  • Presence of the files/registry keys mentioned.
  • Unexpected network connection to the associated site(s).
  • MSN contacts receiving one of the messages with zip attachment.

 

Method of Infection

This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detecion is for a variant of the W32/Checkout worm which was found spreading through MSN Messenger during Christmas day.

Older Beta DATs may detect this threat generically as Generic Backdoor.u trojan.

Aliases

  • Backdoor.Win32.PBot.b (Rising)
  • IM-Worm.Win32.Agent.av (Kaspersky)

Characteristics

Characteristics -

-- Update December 26, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.cnetnews.com.cn/2007/1225/690433.shtml

This detecion is for a variant of the W32/Checkout worm which was found spreading through MSN Messenger during Christmas day.

When installed, it sends the following message to contact list recipients and send a zip file named Christmas-2007.zip (~56 KB):

  • Christmas photo! :D
  • vengo de fi este foto ßlbum
  • Hey i que hace el ßlbum de foto! Si ve a el loL del em  
  • xmas photo!: D 
  • haha :D lol, christmas pictures off me 
  • hola, My Christmas picture for you :)

It creates a copy of itself into the Windows folder:

  • %Windir%\Christmas-2007.zip (W32/Checkout)
  • %Windir%\Servidevice.exe (W32/Checkout)

Christmas-2007.zip unzips to a img2007-12.JPEG.scr file which is detected as W32/Checkout.

It will also create the following registry keys to hook system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\"ryan1918" = "servidevice.exe"

This worm conntacts to an IRC channel on the {blocked}.bindshell.info domain.

Symptoms

Symptoms -

  • Presence of the files/registry keys mentioned.
  • Unexpected network connection to the associated site(s).
  • MSN contacts receiving one of the messages with zip attachment.

 

Method of Infection

Method of Infection -

This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A