MSN worm variant still keeps updating after “imageXX.zip“.
It may also called Win32.IRCBot.gen.
The worm will auto send a message to your friend with Attachment: “myphoto.zip” file,the message maybe will one of this:
checkout my newest pic before I upload!!
hey over there… check out my new photo!
when youre around accept.. its my new default pic.
u seen this crazy shit?
holy shit this new pic is hot as fuck!
I just made this design for a friend. U like it?
I think I had sex with them :X What should i do?
You don’t think I had sex with them… rite?
Is it horrible if I only remember the sex?
Is this really a pic of you?
Would you have had a threesome with them?
Wow! I can’t believe I had a threesome with them!
You see these crazy people? Almost havin sex on the dance floor!
u want to see something really funny? Take a look!
I cant stop laughing!
Creation of these files -
%Startup Folder%\dllxw.exe
%Windows%\rundllx.sys
%Windows%\winload.log
%System%\l32x.exe
%System%\vxd32v.exe
%Temp%\zip.tmp
%System%\msthost.exe
%System%\rdshost.dll
The virus may also steal password information for e-gold and other data, then send this information to the hard-coded email address
‘anyname2@btw.egold-hosting.com’
The virus will auto run at Windows startup after modifying the registry as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
load32 = C:\WINNT\System32\l32x.exe
The virus will load a second time as an accomplice to the Windows shell as in this example -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
“Shell” = explorer.exe C:\WINNT\System32\vxd32v.exe
How to remove?
download SREng:
http://www.kztechs.com/sreng/sreng2.zip
Extract it to the Desktop
Double click SREng.exe to run it
Select: Smart Scan
Then, click the [Scan] buttonWhen finished, click on the [Save Reports] button
Save the log to the Desktop,and send me a email with the log as Attachment.mailto:egomoo#gmail.comI would be glad to help you to removal this worm.
