Alias/es

Detection Availability

Visible Symptoms

• virus is received as a file in an instant message from a known contact that is infected
  
  
• infection by this virus is coupled with infections by two other backdoor threats
  
  
• virus may be received as a file named similar to an actual email address such as 'athomewithlee_hotmail.com' and has the same icon as MS Messenger
  
  

Detailed Analysis

This virus spreads to other contacts of Microsoft Messenger on an infected system. The virus enumerates all contacts and sends itself as a file to found contacts, sometimes with a message like any of these -

is that you?

wahaha!!!

check this out:

is this working?

Upon running this virus, an error message may be displayed and the mouse and keyboard are then blocked from use - the user is required to press the reset key, or force a reboot using the power on/off switch -

Meanwhile in the background, the virus will try to download binaries from two web hosted sites. The downloaded files (which are really viruses) are renamed to .EXE extension and run. The virus makes contact with these web servers to download the malware -

adserv.pwp.blueyonder.co.uk/eng-us/
b0tfilez.tripod.com/

The file are retrieved as .JPG image files however they are really 32bit executables renamed to .JPG extension.

The virus may then send a copy of itself to contacts listed in MS Messenger, starting the circle of infection over again.

Recommended Action

FortiGate systems:


• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
  
  
  FortiClient systems:
  
  
• Quarantine/Delete infected files detected