Worm - Myphoto.zip .exe (question)

TeaLeaf · May 31, 2007, 07:49:34 AM

One of our own is currently having an issue with a worm that seems very similar to the W32/Dumaru worm from January 2004. The 2004 variant was a keylogger worm with its own SMTP engine and arrived via an email attachement called:

Myphoto.zip [48 spaces] .exe

The new version (if it is at all related) appears to be spread via MSN and the worm repeatedly tries to send the above file to everyone in the infected machine's MSN address book. The file name under MSN simply shows up as

Myphoto.zip (58KB)

I cannot find any information about this particular variant of W32/Dumaru or indeed if it is a brand new worm.

Does anyone have any information about this or can anyone help?

TL.

TeaLeaf · May 31, 2007, 07:59:34 AM

Sounds very similar to the transmission of the W32/Bropia worm?

TL.

BigFatCat · May 31, 2007, 08:03:48 AM

All the info is for the older variants, with a smaller payload size.
I'd submit a sample to the big AV names, though they won't update your product if you're not using theirs.

TeaLeaf · May 31, 2007, 08:14:09 AM

Yep, can do that, but I'd rather have that happen from the source machine (which is not mine) and not deliberately accept it onto my own systems. Will pass that recommendation back to source.

TL.

DuVeL · May 31, 2007, 08:24:49 AM

Seems it does 2 things Paul;
Port 2283 seems to be opend as a TCP-proxy, meanwhile through port 10.000 an ftp-server is up that gives acces to all the files on the harddrive from a PC.

Here is some info for Dumaru;
http://www.pchell.com/virus/dumaruy.shtml

http://antivirus.about.com/cs/allabout/a/dumaruy.htm
http://antivirus.about.com/cs/virusencyclopedia/p/dumaruz.htm

Will see if I can find some more interesting articles which might help out.

TeaLeaf · May 31, 2007, 10:26:52 AM

Well a virus scan this morning discovered 'something' with a 'D' in the name, but the log was deleted so we'll never know what it was :doh:

Case closed. Move along please, nothing to see here......

TL.

Doorman · May 31, 2007, 11:27:50 AM

/Doorman puts hand up. Twas me. Scanned again, checked running processes, checked registry, startup folder er...that's it. No sign of any beasties. Good work TL and Duvel. Good links, top advice. :thumb:

Blunt · May 31, 2007, 11:30:34 AM

Quote from: TeaLeaf;191906...discovered 'something' with a 'D' in the name...
TL.

Quote from: Doorman;191924/Doorman puts hand up. Twas me.

:roflmao:

Doorman · May 31, 2007, 11:41:20 AM

:roflmao:

Quote from: Blunt;191926

D, Doorman, I get it!:roflmao:

TeaLeaf · May 31, 2007, 01:09:40 PM

Small update. Whilst one virus was found and removed, the original still appears to be there - so if you get any MSN file transfers at the moment do not accept!

From research it appears to be an English (badly translated) variant of the orignal Spanish W32/MsnPhoto.A.worm. This was first picked up about 20th May so is a pretty new one. None of the AV sites as yet carry any info about other variants.

Ron is currently installing a commercial AV package in the hope of finding the little bar steward. When active and MSN is logged in then Ron does not get to control MSN and he cannot shut down MSN via task manager. It's a nasty little bugger :sad:

TL.

Doorman · May 31, 2007, 04:03:28 PM

Another update: Scanned with McAfee (cheers BFC) and that found AOO14418.exe with which it took exception to. I then did a search for myphoto.zip and it was found in C:\RECYCLERS. I scanned it and it showed up clean. I've deleted it anyway. I'm now scared to start up MSN Messenger (Good thing, I hear some of you cry)
Point of order, Is not RECYCLERS the recycle bin? No? :getmecoat:

Anonymous · May 31, 2007, 04:17:36 PM

Quote from: Doorman;191968Another update: Scanned with McAfee (cheers BFC) and that found AOO14418.exe with which it took exception to. I then did a search for myphoto.zip and it was found in C:\RECYCLERS. I scanned it and it showed up clean. I've deleted it anyway. I'm now scared to start up MSN Messenger (Good thing, I hear some of you cry)
Point of order, Is not RECYCLERS the recycle bin? No? :getmecoat:

What AV package do you normally run Ron?

Doorman · May 31, 2007, 05:30:52 PM

Quote from: BlueBall;191973What AV package do you normally run Ron?

Avast 4 freebie type home deal.

TeaLeaf · May 31, 2007, 05:50:32 PM

Quote from: Doorman;191968Point of order, Is not RECYCLERS the recycle bin? No? :getmecoat:

I don't know where the recycle bin is, but I do not have that folder on my PC.

TL.

Bob · May 31, 2007, 05:59:26 PM

Quote from: TeaLeaf;192003I don't know where the recycle bin is, but I do not have that folder on my PC.

You should have it - but it is a hidden system folder, so unless you have checked the options to show that kind of stuff, you won't see it.

But I saw that Ron wrote RECYCLERS, and not RECYCLER. If it's just a typo, that it's not a big deal - the latter is the recycle bin folder.
If it on the other hand weren't a typo, than something fishy might be going on...