Virus name: Backdoor. (Kaspersky)
Virus size: 118,272 bytes
Boxing method: PE_Patch NTKrnl
Sample MD5:71b015411d27794c3e900707ef21e6e7
Sample SHA1: 934b80b2bfbb744933ad9de35bc2b588c852d08e
Discovery time: 2007.7
Updated: 2007.7
Method of transmission: spread through MSN
Technical Analysis
The virus sends messages to the MSN contacts and a poisoned compressed package disguised as photos. The system is infected when the other contact receives and opens the virus file in the compressed package.
The file name of the virus compressed package sent by the virus to the MSN contact is not fixed, and the message sent contains the Chinese pinyin.
After the virus is run, a ZIP compressed file containing its own copy is generated in the system directory %Windows%. The file name is not fixed and consists of the following characters and random numbers:
Code:
images
photos2007_
album
photo
photo_album
image0
For example:
photos2007_79.zip (photos2007_79.scr)
()
Create a copy of the virus:
%System%\
Release the dll injection process:
%System%\
Create ShellServiceObjectDelayLoad startup method:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"modems"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
[HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\InProcServer32]
@=""
Note: {XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXXXXXXXX} is a string of CLSIDs. The CLSID generated by the virus is not fixed, such as: {8EA5A050-8F75-4443-9830-9949156E066F}
The virus sends corresponding text messages to the MSN contacts according to the language of the poisonous system, and also sends a ZIP compressed packet with poison:
Quote:
Hey please look at me and my pet .. :p
Looking for hot summer pictures ? well here they are !! (h)
Look at me and my volleyball team, working our asses offff (h)
Hey please look at me and my pet .. :p
Psssssst .... just between me and you, please accept :$
This is me totaly naked :o please dont send to anyone else
bak sana Paris Hilton ne hale gelmis hapiste :(
Sen ve Ben !!! .... BAK :p
Baksana benim fotograflara hihi :p
Hey benim fotolarimi kabul et :o !!
Iyi arkadasimla fotorafdayim :$ !!
benim bu ciplak fotoda :o ama baskasina yollama
Regarde les tof de mes vacances en tunisie loool
Toi et moi !!! .... regarde :p
hey stp regarde mes tof !
Hey s'il te plait accepte mes photos :o !!
Une tof de moi et ...:$ !!
Kijk hoe erg Paris Hilton er aan toe is na gevangenschap :(
Jij en Ik !!!! .... kijk :p
Kijk eens naar mijn fotos hihi :p
HEY !! accepteer mn fotos dan !
met mijn beste vriend op de foto !! :$
Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist :(
du und ich !!! ....guck :p
siehe meine fotos hihi :p
hey bitte nimm meine fotos an :o !!
ein foto mit meinem besten freund und mir :$ !!
das bin ich total nackt :o bitte sende es niemand anderem
Guarda come Paris Hilton sprecato ? dopo che era imprijonata :(
Tu ed io !!! .... guarda :p
Guardi le mie foto hihi :p
Mairee photos accept karo :o !!
Una foto con me ed il mio amico migliore :$ !!
Questa e me totaly nudo :o prego non trasmette a chiunque
Veja como Paris Hilton est?acabada depois de ter sido presa :(
Voc?e eu !!!! .... Veja :p
Veja as minhas fotos hehehe :p
Por favor aceite as minhas fotos :o !!
Uma foto com o meu melhor amigo e eu :$ !!
Esta sou eu totalmente nua :o por favor n mande isso pra ningu
kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :(
NI HE WO !!! .... QING KAN :p
KAN WO DE ZHAOPIAN :p
JIESHOU WO DE ZHAO PIAN :o !!
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
ZHE SHI WO DE LUOZHAO :o QING BU YAO FA GEI BIEREN !!
Kolla hur f未分st未分d Paris Hilton Gloss, efter att hon f生gslades :(
Du och jag !! .... Kolla ;)
Kolla p?min bilder, hihi :p
Hey, acceptera mina bilder, sn la :o
En bild p?mig och min b scalesta v :$ !!!
Detta king jag HELT naken.. :o Skicka inte till n annan, sn la...
Mira C-tee o Paris Hilton es perdida despu de deser encarcelada :(
Usted e yo !!! .... Mira :p
Mira mis fotos jejeje :p
Ha aceptado mis fotos por favor :o !!
Una foto con mi mejor amigo e yo :$ !!
Esta soy yo totalmente desnuda :o por favor no env para nadie
Lede hvor spild Paris Hilton er after hun fik f-hanging gsel :(
Jer og Mig !!! ... se :p
Se p?min fotos :p
Hej behage optage min foto :o !!
EN foto hos mig og min bedst ven :$ !!
denne er mig hele bar behage vage vendlig og sende den ikk til nogle :o
Try to connect to remote IRC: john.
Clear steps
==========
1. How to start the virus by deleting the virus (Start menu - Run - Enter "regedit" to enter the registry and find the instructions options in turn and follow the prompts):
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"modems"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
And corresponding:
Code:
[HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\InProcServer32]
@=""
2. Restart the computer
3. Delete the file
%System%\
%System%\
%userprofile%\
%userprofile%\{6-bit random letters}.exe
And the file name in the %Windows% directory consists of the following characters and random numbers, with a file size of about 116KB:
Code:
images
photos2007_
album
photo
photo_album
image0
For example:
photos2007_79.zip (photos2007_79.scr)
()
Virus size: 118,272 bytes
Boxing method: PE_Patch NTKrnl
Sample MD5:71b015411d27794c3e900707ef21e6e7
Sample SHA1: 934b80b2bfbb744933ad9de35bc2b588c852d08e
Discovery time: 2007.7
Updated: 2007.7
Method of transmission: spread through MSN
Technical Analysis
The virus sends messages to the MSN contacts and a poisoned compressed package disguised as photos. The system is infected when the other contact receives and opens the virus file in the compressed package.
The file name of the virus compressed package sent by the virus to the MSN contact is not fixed, and the message sent contains the Chinese pinyin.
After the virus is run, a ZIP compressed file containing its own copy is generated in the system directory %Windows%. The file name is not fixed and consists of the following characters and random numbers:
Code:
images
photos2007_
album
photo
photo_album
image0
For example:
photos2007_79.zip (photos2007_79.scr)
()
Create a copy of the virus:
%System%\
Release the dll injection process:
%System%\
Create ShellServiceObjectDelayLoad startup method:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"modems"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
[HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\InProcServer32]
@=""
Note: {XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXXXXXXXX} is a string of CLSIDs. The CLSID generated by the virus is not fixed, such as: {8EA5A050-8F75-4443-9830-9949156E066F}
The virus sends corresponding text messages to the MSN contacts according to the language of the poisonous system, and also sends a ZIP compressed packet with poison:
Quote:
Hey please look at me and my pet .. :p
Looking for hot summer pictures ? well here they are !! (h)
Look at me and my volleyball team, working our asses offff (h)
Hey please look at me and my pet .. :p
Psssssst .... just between me and you, please accept :$
This is me totaly naked :o please dont send to anyone else
bak sana Paris Hilton ne hale gelmis hapiste :(
Sen ve Ben !!! .... BAK :p
Baksana benim fotograflara hihi :p
Hey benim fotolarimi kabul et :o !!
Iyi arkadasimla fotorafdayim :$ !!
benim bu ciplak fotoda :o ama baskasina yollama
Regarde les tof de mes vacances en tunisie loool
Toi et moi !!! .... regarde :p
hey stp regarde mes tof !
Hey s'il te plait accepte mes photos :o !!
Une tof de moi et ...:$ !!
Kijk hoe erg Paris Hilton er aan toe is na gevangenschap :(
Jij en Ik !!!! .... kijk :p
Kijk eens naar mijn fotos hihi :p
HEY !! accepteer mn fotos dan !
met mijn beste vriend op de foto !! :$
Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist :(
du und ich !!! ....guck :p
siehe meine fotos hihi :p
hey bitte nimm meine fotos an :o !!
ein foto mit meinem besten freund und mir :$ !!
das bin ich total nackt :o bitte sende es niemand anderem
Guarda come Paris Hilton sprecato ? dopo che era imprijonata :(
Tu ed io !!! .... guarda :p
Guardi le mie foto hihi :p
Mairee photos accept karo :o !!
Una foto con me ed il mio amico migliore :$ !!
Questa e me totaly nudo :o prego non trasmette a chiunque
Veja como Paris Hilton est?acabada depois de ter sido presa :(
Voc?e eu !!!! .... Veja :p
Veja as minhas fotos hehehe :p
Por favor aceite as minhas fotos :o !!
Uma foto com o meu melhor amigo e eu :$ !!
Esta sou eu totalmente nua :o por favor n mande isso pra ningu
kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :(
NI HE WO !!! .... QING KAN :p
KAN WO DE ZHAOPIAN :p
JIESHOU WO DE ZHAO PIAN :o !!
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
ZHE SHI WO DE LUOZHAO :o QING BU YAO FA GEI BIEREN !!
Kolla hur f未分st未分d Paris Hilton Gloss, efter att hon f生gslades :(
Du och jag !! .... Kolla ;)
Kolla p?min bilder, hihi :p
Hey, acceptera mina bilder, sn la :o
En bild p?mig och min b scalesta v :$ !!!
Detta king jag HELT naken.. :o Skicka inte till n annan, sn la...
Mira C-tee o Paris Hilton es perdida despu de deser encarcelada :(
Usted e yo !!! .... Mira :p
Mira mis fotos jejeje :p
Ha aceptado mis fotos por favor :o !!
Una foto con mi mejor amigo e yo :$ !!
Esta soy yo totalmente desnuda :o por favor no env para nadie
Lede hvor spild Paris Hilton er after hun fik f-hanging gsel :(
Jer og Mig !!! ... se :p
Se p?min fotos :p
Hej behage optage min foto :o !!
EN foto hos mig og min bedst ven :$ !!
denne er mig hele bar behage vage vendlig og sende den ikk til nogle :o
Try to connect to remote IRC: john.
Clear steps
==========
1. How to start the virus by deleting the virus (Start menu - Run - Enter "regedit" to enter the registry and find the instructions options in turn and follow the prompts):
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"modems"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
And corresponding:
Code:
[HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\InProcServer32]
@=""
2. Restart the computer
3. Delete the file
%System%\
%System%\
%userprofile%\
%userprofile%\{6-bit random letters}.exe
And the file name in the %Windows% directory consists of the following characters and random numbers, with a file size of about 116KB:
Code:
images
photos2007_
album
photo
photo_album
image0
For example:
photos2007_79.zip (photos2007_79.scr)
()