MSN Photo Sexy photo Album virus Manual removal method

Source: Internet
Author: User
Tags manual zip

Virus Name: MSN Photo (WORM.MAIL.PHOTOCHEAT.A)

Virus type: Worm virus

Virus Hazard Level: ★★★☆

Virus Analysis:

This is a worm spread through MSN, the virus behavior is as follows:

1, after the virus to create their own compression package named Photos.zip released into the%windir% directory, release a syshosts.dll dynamic library to%system% directory, the dynamic library into the system of multiple threads to achieve its spread function.

2, the virus will automatically create the following registry key, to achieve since the start.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"syshosts" = {1E3EF678-AFB7-4420-9CCF-3725505ACA10}

3, the virus will generate the Photos.zip through the MSN simulation keyboard and mouse operation to send to other contacts, send the message as follows:

Here are me private pictures for your
Here are me pictures from I vacation
My friend took nice photos o F me.you Should you lol!
its only my photos!
Nice new Photos The me and my friends and stuff and I were young lol ...
Nice new photos of me!!:p
Check out my sexy boobs:D
Hey regarde mes tof!!:p
ma soeur a voulu que t U regarde ca!
Hey regarde les tof, c ' est moi et mes copains entrain de ...:D
J ' ai Fais pour toi ce photo album Tu dois le Vo Ire:)
tu dois voire ces tof
mes photos chaudes:D
C ' est seulement mes tof:p
zijn enige mijn foto ' s br> wanna Hey ziet mijn nieuw fotoalbum? 
Indigde Enkel Nieuw fotoalbum!:)
Hey keurt mijn nieuw fotoalbum goed.:p
het voor yah, doend beeldverhaal van mijn leven lol ...
en fotos!:p
Le mie foto calde:p
mis fotos calientes
as:p
Lbum de foto

4, the virus will visit the Www.free8.bi address, with a specific nickname, log on to a specific IRC channel, and in the IRC chat channel to disseminate messages.

Manual removal method

First, delete the virus in the Registry startup project

1, click the "Start" menu, choose to run. Enter "Regedit.exe" to start Registry Editor.

2, open

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Item, locate the item named "Syshosts" and record its value. For example, the value in this machine is "{8D4C2FB9-6DF1-46EA-B6A0-6403640115D6}". (See figure I)

Figure I

3. Delete the syshosts item.

4. Open the HKEY_CLASSES_ROOT\CLSID entry in the registry and find the item just recorded, in this case {8D4C2FB9-6DF1-46EA-B6A0-6403640115D6} (see figure II).

Figure II

5, restart the computer.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.