Search This Blog

Wednesday, August 22, 2007

virus: myphotos2007.zip - spread via msn messenger

Received a message from a friend in MSN Messenger
"What do you think of this picure? i feel i look ugly :/"
Followed by a attachment in zip format "myphotos2007.zip"
With no suspect, i unzip the file and click on it (file name: DSC515607.jpg-www.pictureland.com). Nothing happen and after a while, MSN messenger windows keep on appear and disappear, i know something is not right. Quickly logoff.
First thing i do is scan with nortan antivirus but found nothing. I try to go to other antivirus website like trendmicro, Kaspersky and etc but fail (A login required). I know this is infected by the computer virus (worm). (I'm able to go to download a trio version of bitDefender 10, trust me, this antivirus no use - take hours for installation and hours for uninstall and yet fail to uninstall)

Solution:


  • Turn Off System Restore
  • Restart in Safe Mode
  • Go to windows directory, delete delete myphotos2007.zip. (%Windows%\myphotos2007.zip)
  • Go to windows directory, System32 delete newsystem25.dll (%System%\newsystem25.dll)
  • Go to user profile, delete new.txt. 9%UserProfile%\new.txt)
  • Go to run regedit
  • Delete [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"prodigy1"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
  • Delete [HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\InProcServer32]@="newsystem25.dll"
After all these step, i still round that i cannot connect to antivirus website. I go to download "Ad-Aware" and install the free version. Scan through my machine. Do some fixes.

Done! Back to normal but bitDefender 10 leave me serious trouble as i'm not able to uninstall it althought i dont want to use it.

Virus name:
Backdoor.Win32.IRCBot.ex (Kaspersky Lab) is also known as: W32.Esbot.B (Symantec), BackDoor.IRC.Sdbot.126 (Doctor Web), Win32.Worm.EsBot.B (SOFTWIN), Worm.ESBot.B (ClamAV), Bck/IRCbot.KG (Panda), Win32/IRCBot.OO (Eset)

2 comments:

Wai Wong said...

I got this virus today. But I didnt accept the file, since its from someone unknown to me.
I wouldnt open files received people I dont know.

In blues said...

You are lucky. I got the file from my friend.