Visible Symptoms
- virus is received as a file in an instant message from a known contact that
is infected
- infection by this virus is coupled with infections by two other backdoor
threats
- virus may be received as a file named similar to an actual email address
such as 'athomewithlee_hotmail.com' and has the same icon as MS Messenger
Detailed AnalysisThis virus spreads to other contacts of Microsoft Messenger on an infected
system. The virus enumerates all contacts and sends itself as a file to found
contacts, sometimes with a message like any of these -
| is
that you? |
| wahaha!!! |
| check
this out: |
| is
this working? |
Upon running this virus, an error message may be displayed and the mouse and
keyboard are then blocked from use - the user is required to press the reset
key, or force a reboot using the power on/off switch -
Meanwhile in the background, the virus will try to download binaries from two
web hosted sites. The downloaded files (which are really viruses) are renamed
to .EXE extension and run. The virus makes contact with these web servers to
download the malware -
adserv.pwp.blueyonder.co.uk/eng-us/
b0tfilez.tripod.com/
The file are retrieved as .JPG image files however they are really 32bit executables
renamed to .JPG extension.
The virus may then send a copy of itself to contacts listed in MS Messenger,
starting the circle of infection over again.
|