W32/Checkout!91d0b88a Virus

W32/Checkout!91d0b88a
Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/11/2007
Date Added: 8/11/2007
Origin: N/A
Length: 41,984 bytes
Type: Virus
SubType: Internet Worm

Virus Characteristics



This worm spreads via MSN Messenger . When installed, it sends the following message(s) to contact list recipients and send a zip file named img1756.zip (~42 KB).

* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the fuck, did you see this?
* hey man, did you take this picture?

Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:

* %WINDIR%\img1756.zip (W32/Checkout zipped)
* %WINDIR%\svchost.exe (W32/Checkout)

(Where %WINDIR% is the Windows folder; e.g. C:\Windows)

It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.

* Security Center
* winvnc4

Adds the following values to the registry:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"

The worm connects to an IRC channel on {blocked}.basecase.info.


Indications of Infection

* Presence of the files/registry keys mentioned
* Unexpected network connection to the associated site(s).
* MSN contacts receiving one of the messages with zip attachment.


Method of Infection
This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .