Well, you
CHOP album.zip photo.
file containing photos album-2007-5-26.scr
and:
C: \\ Windows \\ system32 \\ syshosts.dll
It is possible that Avast does not detect it ...
UPDATE:
There is probably: Backdoor.Win32.IRCBot.aaq
Your post was like MSN (French / English)
------ -------------------------------------------------- ------------
hey look at my tof! : P ma soeur a voulu que
Regarde ca tu! Regarde les tof
hey, c'est moi et mes copains entrain the .... : D j'ai fais pour toi
ce photo album tu dois le voir:)
tu dois voir ces tof mes photos chaudes
: D c'est seulement
cool knife: p
its only my photos
Hey want to see my new album?
Hey "is completed any new album! :) Hey
approve my new album anyway .. : P
for yah, doing cartoon of my life lol ..
meine hei and Photos! : P
le mie Calde picture: p mis fotos calientes
mi fotografas: p
Mi amigo tom las fotos agradables the m
el lol mi Hermana Quisiera que este le enviara
the photo album
English:
---------------------- Here are my private pictures for you Here are my
pictures from my vacation
My friend Took nice photos Should see me.you of em lol!
icts only my photos!
Nice new photos of me and my friends and stuff and When I Was Young ... lol
Nice new photos of me! : P
Check out my sexy boobs: D
it is also possible to have this:
close with the cross.
source text of these messages
If you received this in Dutch / English + link: (I added t w. .. un et un dès fois que!)
Le message envoy aux contacts MSN ---->
Is that you in this picture?
htttp: / / www.hothotpics.com/photo8.php
Is that you on this photo O
htttp: / / www .******. net/photo26.com
Is that you on this photo?
wwww.hot hotpeople.net/photo894.php
----------------------------
Il sagit the --- -> Downloader.Win32.Agent.btu
Trojan Vundo Infection:
genre:
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C: \\ WINDOWS \\ System32 \\ ddaia . dll
O20 - Winlogon Notify: DDAI - C: \\ WINDOWS \\ System32 \\ ddaia.dll
It sagit a random name, so no similarity except the number of characters and the classical splitting 02/020.
This is treated like a Vundo infection classic (though scanning the FIX MSN, can not hurt!)
There is another attack that is manifested in this report Hijackthis
MSN message was:
" Lol, I'm a haul from my sister yesterday with secretly watch my webcam ca
"
followed a link to go download:
webcam_00002.com?. Jpg
It sagit from
webcam_00002.com/Backdoor.VanBot.dk
-----> in HijackthisO23 - Service: Microsoft Genuine Advantage - Unknown owner - C: \\ WINDOWS \\ System32 \\ dllcache \\ winmga.exe
définfecte is also with the FIX MSN.
short, you set foot in it!
not panic and in a first time made this
Revenez ici après....
Télécharger le FIXMSN.zip ici
vous obtenez ceci:
Fermez-le, une fois téléchargé sur votre bureau.
Télécharger et installez donc IZArc si vous n'avez rien pour dézipper.
Double-clic dessus.
Vous aurez ceci:
Clic sur l'icône "extraire"
Click on extract, it extracts by default on the desktop, it avoids look after !
He created and unpacked your fix in a folder:
Double-click it.
opens this ... it has to create / a subfolder MSNFix, reclic it!
then click on MsnFix.bat
Type "R" and press "Enter . If
PC clean
Make "A " and press "Enter".
Notepad will open, after reflection of the computer ....
Select the text (CTRL + A)
Copy the text in memory (ctrl + c)
Copy the text stored on the forum to place your cursor (ctrl + v)
If an infection has been found ....
make a report as previously et le copier dans le forum.
Attendez les instructions.
------------------------------------------------- Si vous avez -------
Ramasse photo8.com:
via un message du genre:
" it you in this picture? http://www.hothotpics. com/photo8.php
That You on this photo is: O http://www .******. net/photo26.com
That is you on this photo www.hot hotpeople.net / photo894.php "
Attendez les instructions, on va les detect dans un scan HijackThis.
Pour info:
------------------------
Vous aurez Certain ment des 02 et 020 du Gender:
O2 - BHO: (no name) - {2034BA2F-49EF-99EB-6FAC-5F58BB828997} - C: \\ WINDOWS \\ system32 \\ iiffbca.dll (file missing) O20
- Winlogon Notify: iiffbca - C : \\ WINDOWS \\ system32 \\ iiffbca.dll
iiffbca.dll is a random name, is what is so special ....
---------------------------------------
If unable to connect MSN
try to do this:
Start / Run / type the following commands (each validate with OK):
C'estpour re-register DLLs.
regsvr32 softpub.dll
regsvr32 initpki.dll
regsvr32 mssip32.dll
Restart the machine.
Sometimes it is also necessary to reset the password.
https: / / accountservices.msn.com / uiresetpw.srf? Lc = 1036 & id = 2
Also check your version number, if she is too old (version 6) is vulnerable.
http://www.microsoft.com/france/securite/bulletins/2005/200502_msnmessenger.mspx
0 comments:
Post a Comment