Img807.zip or MsnPoopy
Yesterday I was receiving some innocuous looking file transfer requests from my friends in MSN Messenger. File was Img807.zip with message likeDid you take this picture?
is that you on the left?
How drunk was I in this picture?
Is that your mom in this picture?
lol, your mom just sent me this picture?
Zip contains a file img807.jpg-www.photoalbums.com which seems like a url. This was actually a worm!
I have written a small removal tool. You can get it here.
It seems to be a variant of worm MsnPoopy.A.
Quick analysis shows that.
1. It creates a batch file c:\a.bat (deleted later) to execute the worm.
2. Stops “Security Center” and any running VNC servers (net1 stop winvnc4)
3. Creates two files c:\windows\vpcrtf.exe and c:\windows\img807.zip. The original .com file and the vpcrtf.exe is same files (MD5 7299c5d5d5761779dfedfbd3808c8ed8)
4. Modifies IE Security Zonemaps and resets IE BypassProxy to enabled. (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap)
5. Creates a startup entry named “Microsoft Visual Application” at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
6. Creates connection to 85.114.143.159 (chat2.ms.com). Excerpt of the TCP stream shows it is creating a chat session to that server with a random name.
Text like this was found inside the exe.
[DDoS]: Flooding %s:%s with %s for %s seconds
[DDoS]: Done with flood (%iKB/sec).
Commands used in chat server are
PASS %s
NICK %s
USER %s * 0 :%s
Leaving
QUIT %s
QUIT
JOIN
PART
QUIT
NOTICE
PRIVMSG
NICK
PING
PONG %s
NOTICE %s :%s
PRIVMSG %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
MODE %s %s
MODE %s %s %s
An instance of communication to chat2.ms.com
PASS letmein
NICK drcdetbkfr
USER drcdetbkfr * 0 :XXXXX
:chat2.ms.com NOTICE AUTH :*** Looking up your hostname...
:chat2.ms.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:chat2.ms.com NOTICE drcdetbkfr :*** If you are having problems connecting due to ping timeouts, please type /quote pong E7514D5C or /raw pong E7514D5C now.
PING :E7514D5C
PONG E7514D5C
:chat2.ms.com 001 drcdetbkfr
:chat2.ms.com 002 drcdetbkfr : M0dded by uNkn0wn Crew
:chat2.ms.com 003 drcdetbkfr
:chat2.ms.com 004 drcdetbkfr : www.uNkn0wn.eu - iD@uNkn0wn.eu
:chat2.ms.com 005 drcdetbkfr
:chat2.ms.com 005 drcdetbkfr
:chat2.ms.com 005 drcdetbkfr
:chat2.ms.com 422 drcdetbkfr :MOTD File is missing
:drcdetbkfr MODE drcdetbkfr :+iwxG
MODE drcdetbkfr -ix
JOIN ##L## torrent
MODE drcdetbkfr -ix
JOIN ##L## torrent
MODE drcdetbkfr -ix
JOIN ##L## torrent
MODE drcdetbkfr -ix
JOIN ##L## torrent
:drcdetbkfr!drcdetbkfr@18BA964C.E3E058E5.86DFE602.IP JOIN :##l##
:chat2.ms.com 332 drcdetbkfr ##l## :.msnstop|.msnstart
:chat2.ms.com 333 drcdetbkfr ##l## C 1186984256
:jmixkwtc!jmixkwtc@adsl-pool-222.123.92-138.tttmaxnet.com JOIN :##l##
:xfjgadoe!nawcggrq@222.111.240.15 JOIN :##l##
:toltsnwg!toltsnwg@0wn3d-5CBFC5F9.adsl.totbb.net QUIT :Ping timeout
PRIVMSG ##l## :MSN Spread Has Been Deactivated.
:xgdpzrej!xgdpzrej@0wn3d-B63C2A2.hinet-ip.hinet.net QUIT :Connection reset by peer
:lfysnvlf!lfysnvlf@0wn3d-B63C2A2.hinet-ip.hinet.net QUIT :Connection reset by peer
:chat2.ms.com 404 drcdetbkfr ##l## :You must have a registered nick (+r) to talk on this channel (##l##)
:kqeocoup!kqeocoup@0wn3d-E41BFE89.tttmaxnet.com JOIN :##l##
:lyoiwhnz!lyoiwhnz@0wn3d-6F3B1EB.revip2.asianet.co.th JOIN :##l##
:kulbdupj!kulbdupj@aworklan024095.netvigator.com QUIT :Connection reset by peer
:cfpmzenv!cfpmzenv@A634004F.F5AADB4E.2BA61D.IP QUIT :Ping timeout
PRIVMSG ##l## :MSN worm sent to: 0 contacts
:koopoxxg!koopoxxg@59.44.43.155 JOIN :##l##
:ztuxqkph!ztuxqkph@0wn3d-B63C2A2.hinet-ip.hinet.net QUIT :Connection reset by peer
PRIVMSG ##l## :MSN Spread Has Been Activated.
:chat2.ms.com 404 drcdetbkfr ##l## :You must have a registered nick (+r) to talk on this channel (##l##)
:chat2.ms.com 404 drcdetbkfr ##l## :You must have a registered nick (+r) to talk on this channel (##l##)
:zmqtlvgt!zmqtlvgt@B1CADB.3F468E44.D7B2BA0C.IP JOIN :##l##
:ldsjwlel!ldsjwlel@0wn3d-5269B4BC.totbb.net JOIN :##l##
Removal tool simply kills vpcrtf.exe ,remove two files windows\vpcrt.exe and windows\img807.zip and the registry startup entry.
Labels: Img807.zip MsnPoopy vpcrtf virus
posted by GNUlihd @ 2:57 AM
10 Comments:
interesting, I hope that you've notified the parties involved ;)
if not:
http://www.castlecops.com/mirt
http://scanner.virus.org/
http://www.virustotal.com
and last but not least
http://virusscan.jotti.org/
cheers!
P.S. is it c:\windows\vpcrtf.exe or c:\windows\vpcrt.exe ?
In my case that was vpcrtf.exe.
And thanks for the suggestion.
Results from http://virusscan.jotti.org/
A-Squared Found nothing
AntiVir Found WORM/IRCBot.86528.3
ArcaVir Found Trojan.Ircbot.Zi
Avast Found nothing
AVG Antivirus Found BackDoor.Delf.OP
BitDefender Found Backdoor.Ircbot.ABEX
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.MulDrop.8316
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.IRCBot.zi
Fortinet Found W32/IRCBot.ZI!tr.bdr
Kaspersky Anti-Virus Found Backdoor.Win32.IRCBot.zi
NOD32 Found Win32/IRCBot.YH
Norman Virus Control Found nothing
Panda Antivirus Found Bck/IRCBot.BCF
Rising Antivirus Found nothing
Sophos Antivirus Found Troj/IRCBot-XJ
VirusBuster Found nothing
VBA32 Found nothing
ITS OK, I KNOW HOW TO FIX THIS VIRUS.
TO YOUR STATIONS MEN.
thanks. do norton know about it yet? i updated it and scanned the files but it didnt come up with anything.
thanks so much. but i hv scanned it earlier and it was kinda ok. then i used this removal tool of yours from my cousin and it said, no virus found in this machine. this means, there aint any virus/clean or fail to find?
Thanks again!!!!
KK
http://www.hackers-dna.ws/
hackers school
hallo, i use ur tool alrdy but it still will automatic send message 2 my frens... how can i fix it?
Hey julyap, I have been noticing many other variants of this virus lately. I'll update when i get time.
For now
1) Check with taskmanager if a process 'regsrv.exe' is running. Kill it.
2) Remove file (c:\windows\system32\regsrv.exe)if exists, which is mimicking the genuine file regsrv32.exe
3) Clear IE temporary files.
4) Use Process Explorer to see if any other suspicious processes are running (look for 'Company Name' of those processes).
Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!
Post a Comment
<< Home