Virus Characteristics
-- Update August 12, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.darkreading.com/document.asp?doc_id=131362
This variant of W32/Checkout may be detected as W32/Generic.Delphi.a in earlier versions of the DAT.
This worm spreads via MSN Messenger . When installed, it sends the following message(s) to contact list recipients and send a zip file named img1756.zip (~42 KB).
- look @ my cute new puppy :-D
- look @ this picture of me, when I was a kid
- I just took this picture with my webcam, like it?
- check it, i shaved my head
- have u seen my new hair?
- what the fuck, did you see this?
- hey man, did you take this picture?
Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:
- %WINDIR%\img1756.zip (W32/Checkout zipped)
- %WINDIR%\svchost.exe (W32/Checkout)
(Where %WINDIR% is the Windows folder; e.g. C:\Windows)
It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.
Adds the following values to the registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"
The worm connects to an IRC channel on {blocked}.basecase.info.