Note to all porno users
-
New virus spreading. If you are one of those porno users out there, be careful. Do not click on anything attachments.
These are the common attachments:
The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
Fuckin Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Fw: Picturs
Fw: DSC-00465.jpg
Word file
eBook.pdf
the file
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos
If you can't resist the temptations to view them, then I wish you good luck. I will post the removal tools after you click them.
-
-
Here's how a forwarded message looks like:
Note: forwarded message attached.
Hot XXX Yahoo Groups
F*ckin Kama Sutra pics
ready to be F*CKED
forwarded message attached.
VIDEOS! FREE! (US$ 0,00)
Please see the file.
>> forwarded message
----- forwarded message -----
i just any one see my photos. It's Free
how are you?
i send the details.
OK ?
Again, removal tools will be posted after you clicked on the attachments. -
You are one of them?Originally posted by RaTtY81: -
nopeOriginally posted by ndmmxiaomayi:You are one of them? 
-
More information:
The worm usually attached itself to e-mail messages as an executable file. It uses one the following names in attachment:
007.pif
School.pif
04.pif
photo.pif
DSC-00465.Pif
image04.pif
677.pif
New_Document_file.pif
eBook.PIF
document.pif
DSC-00465.pIf
_______________________________________________________________________
Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:
Video_part.mim
Attachments00.HQX
Attachments001.BHX
Attachments[001].B64
3.92315089702606E02.UUE
SeX.mim
Sex.mim
Original Message.B64
WinZip.BHX
eBook.Uu
Word_Document.hqx
Word_Document.uu
________________________________________________________________________
The filename inside MIME-encoding is one of the following:
New Video,zip .sCr
Attachments,zip .SCR
Atta[001],zip .SCR
Clipe,zip .sCr
WinZip,zip .scR
Adults_9,zip .sCR
Photos,zip .sCR
Attachments[001],B64 .sCr
392315089702606E-02,UUE .scR
SeX,zip .scR
WinZip.zip .sCR
ATT01.zip .sCR
Word.zip .sCR -
Sure? If you clicked, then no removal tools for you. Go search yourself. I will be good to you by giving you the virus name.Originally posted by RaTtY81:nope 
-
nope i guai guai 1 wun click on those linksOriginally posted by ndmmxiaomayi:Sure? If you clicked, then no removal tools for you. Go search yourself. I will be good to you by giving you the virus name. -
It can also spread to other network shares.
Here's the details:
The worm has several network spreading routines. One of them enumerates all available shares, then reads the values of the following Registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent"
"Personal"
The above Registry key values point to user's folders where personal documents and recently opened files are stored. If such foder is found, the worm opens it, enumerates files there, "borrows" one file name (randomly selected) and adds EXE extension to it. Then the worm copies itself to network shares with that name. If the worm does not find any files in those folders it copies itself to network shares with the following names:
New WinZip File.exe
Zipped Files.exe
movies.exe
The other network spreading routine searches for specific network shares and tries to copy itself using one of the following filenames:
\Admin$\WINZIP_TMP.exe
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe
At the same time the worm deletes the following file:
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
Before spreading the worm checks whether a remote computer has any of the following folders and if it does, the worm tries to delete all files from that folder:
\C$\Program Files\Norton AntiVirus
\C$\Program Files\Common Files\symantec shared
\C$\Program Files\Symantec\LiveUpdate
\C$\Program Files\McAfee.com\VSO
\C$\Program Files\McAfee.com\Agent
\C$\Program Files\McAfee.com\shared
\C$\Program Files\Trend Micro\PC-cillin 2002
\C$\Program Files\Trend Micro\PC-cillin 2003
\C$\Program Files\Trend Micro\Internet Security
\C$\Program Files\NavNT
\C$\Program Files\Panda Software\Panda Antivirus Platinum
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
\C$\Program Files\Panda Software\Panda Antivirus 6.0
\C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus
The worm also creates a scheduled task to run the worm's files on remote computer with system priviledges at the 59th minute of the current hour.
Antivirus no use....
-
OK. I trust you this time.Originally posted by RaTtY81:nope i guai guai 1 wun click on those links 
-
Post the picture here then all forumites get infected
-
How much you will pay for not listening:
The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm's UPDATE.EXE file is run, it destroys files with those extensions on all available drives:
*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp
The files' contens get replaced with a text string "DATA Error [47 0F 94 93 F4 K5]". The payload is activated 30 minutes after the worm's file UPDATE.EXE is loaded into memory (basically 30 minutes after logon). We can confirm that the payload works at least on Windows XP.
The worm attempts to disable several security-related and file sharing programs. It deletes startup key values from the Registry if they contain any of the following:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
PCCIOMON.exe
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare
The following startup Registry keys are affected:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
In addition the worm deletes files from the following subfolders in the Program Files folder:
\DAP\*.dll
\BearShare\*.dll
\Symantec\LiveUpdate\*.*
\Symantec\Common Files\Symantec Shared\*.*
\Norton AntiVirus\*.exe
\Alwil Software\Avast4\*.exe
\McAfee.com\VSO\*.exe
\McAfee.com\Agent\*.*
\McAfee.com\shared\*.*
\Trend Micro\PC-cillin 2002\*.exe
\Trend Micro\PC-cillin 2003\*.exe
\Trend Micro\Internet Security\*.exe
\NavNT\*.exe
\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
\Grisoft\AVG7\*.dll
\TREND MICRO\OfficeScan\*.dll
\Trend Micro\OfficeScan Client\*.exe
\LimeWire\LimeWire 4.2.6\LimeWire.jar
\Morpheus\*.dll
In addition the worm reads location of certain programs from Windows Registry and deletes certain files in these locations. The affected software is:
VirusProtect6
Norton AntiVirus
Kaspersky Anti-Virus Personal
Iface.exe
Panda Antivirus 6.0 Platinum
Also the worm closes application windows that have the following strings in their captions:
SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX
For some reason the worm adds several license keys to the Registry. Most of them seem to belong to VB6 controls. Also the worm makes the following changes to the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"FullPath" = dword:00000001
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = dword:00000000
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"WebView" = dword:00000000
The worm can modify Active Desktop files in order to launch another copy of itself named 'WinZip_Tmp.exe' using the ActiveX control.
______________________________________________________________
You have been warned.
-
Originally posted by ndmmxiaomayi:OK. I trust you this time.
den next time? -
LOL, I won't. You want to get my computer to be infected is it? Wait long long. I won't fall into your trap.Originally posted by maggot:Post the picture here then all forumites get infected -
I see how first.Originally posted by RaTtY81:
den next time? -
Something interesting about this virus:
The worm has an interesting feature. When it infects a computer it opens a web browser on a certain webpage. This increments the counter on that webpage. We were contacted by the organization that runs the site with that counter. They informed us that the counter readings were not accurate. There were multiple hits from the same IPs to the counter. According to the information we received, the number of hits from unique IPs is over 262000 which is still quite big. -
Originally posted by ndmmxiaomayi:I see how first.
-
OK, I go for lunch first. Meanwhile, slowly read this.
Those itchy fingers people, just be warned that I won't help. I give you virus name and you go settle yourself.
Unless you convinced me to help you. -
spywarestrike!!!
Go download it, it's very effective. -
MC ah....Originally posted by M©+square:spywarestrike!!!
Go download it, it's very effective.
You bad sia.
Ask them download another spyware and cause more problems for them. Don't believe, I show you
http://www.google.com/search?hl=en&q=spywarestrike&btnG=Google+Search -
Tsk! Let them download leh then say mah.Originally posted by ndmmxiaomayi:MC ah....
You bad sia.
Ask them download another spyware and cause more problems for them. Don't believe, I show you
http://www.google.com/search?hl=en&q=spywarestrike&btnG=Google+Search
No la. I not so bad one...i intend to delete my post in an hour's time.
But too bad, your already quote me le.
Cheers -
Originally posted by ndmmxiaomayi:MC ah....
You bad sia.
Ask them download another spyware and cause more problems for them. Don't believe, I show you
http://www.google.com/search?hl=en&q=spywarestrike&btnG=Google+Search
mc asking ppl to d/l spyware? -
I changed my mind. Decides to help you guys in case you all itchy fingers and cannot resist temptations.
Disinfection utility by F-Secure.
Disinfection utility by F-Secure (in case you can't access the above link)
The utility is distributed only in a ZIP archive that contains the following files:
* f-force.exe - the main executable file
* eult.rtf - End User License Terms document
* readme.rtf - Readme file in RTF format
* readme.txt - Readme file in ASCII format
Important Notice
Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!
Please note that the F-Force utility can disinfect only certain malicious programs. Besides the utility does not scan inside archives. So after cleaning a computer with the F-Force utility it is recommended to scan all hard drives with F-Secure Anti-Virus and the latest updates to make sure that no infected files remain there.
If you don't like F-Secure, here are other sites that can help you:
Symantec
McAfee
Computer Associates
Sophos
Trend Micro
Trend Micro
Kaspersky
Norman -
Wah....Originally posted by M©+square:Tsk! Let them download leh then say mah.
No la. I not so bad one...i intend to delete my post in an hour's time.
But too bad, your already quote me le.
Cheers
You really bad sia. -
Hmm, I don't know what he is up to.Originally posted by RaTtY81:
mc asking ppl to d/l spyware?