Antiy capture the new MSN worm

Antiy Ghostbusters completely removed MSN Worm (Sexy Chicken)

20050203 9:30 3rd update

Antiy Cert

Antiy Cert captured a MSN Worm in Feb 3 rd , 2005, and we named the worm IM-Worm.Win32.Webcam.a. The number of nodes which the worm infected increase rapidly and the fashion trend is extremely obvious.

1. Basic features:

Name: IM-Worm.Win32.Webcam.a

Original size: 188,928 byte

Compressed format: PESpin

Compile Language: Microsoft Visual Basic 6.0

After the worm ran, it will crazily send messages and send itself to the MSN friends. When transporting, it will adopt random files name, and the extension name may be .SCR/.EXE/.PIF, etc.

It is as followed:

LMAO.pif

LOL.scr

naked_drunk.pif

hot.pif

underware.pif

2. Behavioral analysis

• After running, the worm will release a file named CZ.EXE to the root directory of C disc, copy it under %system%, and named: winhost.exe. It set the file attribute as hiding, read-only, system, and at the same time, changed the file establishing time into systematic file date, which used to cheat and confuse the customers. CZ.EXE is not a simple copy of IM-Worm.Win32.Webcam.a, and it is a variant of IRCBOT family.

• The worm will random produce a file in the root directory of C disc , the file is itself copy, with the extension name PIF/SCR, etc., and it used to spread to the MSN friends.

At the same time, it will produce msnus.exe in % system%, the file is itself copy, and the copy will be executed.

• The worm add itself to Registry start item so as to guarantee itself to be loaded when system restarting.

Software\Microsoft\Windows\CurrentVersion\Run
key name : win32
key value : winhost.exe

Software\Microsoft\Windows\CurrentVersion\RunServices
key name : win32
key value : winhost.exe

Software\Microsoft\OLE
key name : win32
key value : winhost.exe

• The worm will produce a picture file in a root catalogue of C disc, with the name: Sexy.jpg, and transfer the related program to open it, the result is as Pic 1.

Pic 1

• Set up the main sound channel value of system sound as 0, the purpose to judge it is that it can make the user unknown when MSN received the spreading information.

• Monitor MSN window, send the messages and propagate itself to the friends list.

Cz.exe that the worm released, substantially, is an IRC backdoor program, copies itself to %system%\winhost.exe after executed. At the same time, executes the copy, and connect the goal 8080 ports of freeupdate.homeip.net frequently after executing.

Virus name: IM-Worm.Win32.Webcam.a (sexy chicken)

Original size: 124,416 byte

Compressed format: PESpin

Compile Language: Microsoft Visual C++

3. Solution

Remove the worm manually according to the behavioral analysis above, and stop and delete the relevant process files, restore registry.

The users of Antiy Ghostbusters please update your database at once, and it will remove the MSN Worm completely.

The free download link of the popular worm special kill tools of Antiy Labs:

http://www.antiy.com/resource/freetolls/avlpk.exe

The trial edition download link of Antiy Ghostbusters:

http:// www.antiy.net/download/agb4p.exe

Antiy Ghostbusters:

Antiy Ghostbusters (AGB) is an advanced information security utility. It consists of an anti-hacker utility and an information security configuration toolkit. AGB can detect and kill Trojans, backdoors and worms, which may hide in your system like ghost and damage your system, steal your secret information. There are many excellent tools in AGB. The toolkit helps you manage the information security configuration of your system.

About Antiy Labs:

Antiy Labs is a comprehensive research enterprise, taking information technology and network security as main fields. Antiy explores actively in the advanced fields of anti-virus, information watermark, and etc., have successively developed many excellent products, such as Antiy Ghostbusters, Anti-Virus engine AV Leach SDK, VDS, etc., by their own kernel technology.

As an advanced technology output enterprise, Antiy always regards technology as guide, creation as soul, and works untiringly in the backstage. In the past few years, with the status of technology / resource supplier, Antiy has offered related technologies or products for domestic and international security enterprises, key systems, relevant universities, etc.