Virus Name: MSN Photo (WORM.MAIL.PHOTOCHEAT.A)
Virus type: Worm virus
Virus Hazard Level: ★★★☆
Virus Analysis:
This is a worm spread through MSN, the virus behavior is as follows:
1, after the virus to create their own compression package named Photos.zip released into the%windir% directory, release a syshosts.dll dynamic library to%system% directory, the dynamic library into the system of multiple threads to achieve its spread function.
2, the virus will automatically create the following registry key, to achieve since the start.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"syshosts" = {1E3EF678-AFB7-4420-9CCF-3725505ACA10}
3, the virus will generate the Photos.zip through the MSN simulation keyboard and mouse operation to send to other contacts, send the message as follows:
Here are me private pictures for your
Here are me pictures from I vacation
My friend took nice photos o F me.you Should you lol!
its only my photos!
Nice new Photos The me and my friends and stuff and I were young lol ...
Nice new photos of me!!:p
Check out my sexy boobs:D
Hey regarde mes tof!!:p
ma soeur a voulu que t U regarde ca!
Hey regarde les tof, c ' est moi et mes copains entrain de ...:D
J ' ai Fais pour toi ce photo album Tu dois le Vo Ire:)
tu dois voire ces tof
mes photos chaudes:D
C ' est seulement mes tof:p
zijn enige mijn foto ' s br> wanna Hey ziet mijn nieuw fotoalbum?
Indigde Enkel Nieuw fotoalbum!:)
Hey keurt mijn nieuw fotoalbum goed.:p
het voor yah, doend beeldverhaal van mijn leven lol ...
en fotos!:p
Le mie foto calde:p
mis fotos calientes
as:p
Lbum de foto
4, the virus will visit the Www.free8.bi address, with a specific nickname, log on to a specific IRC channel, and in the IRC chat channel to disseminate messages.
Manual removal method
First, delete the virus in the Registry startup project
1, click the "Start" menu, choose to run. Enter "Regedit.exe" to start Registry Editor.
2, open
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Item, locate the item named "Syshosts" and record its value. For example, the value in this machine is "{8D4C2FB9-6DF1-46EA-B6A0-6403640115D6}". (See figure I)
Figure I
3. Delete the syshosts item.
4. Open the HKEY_CLASSES_ROOT\CLSID entry in the registry and find the item just recorded, in this case {8D4C2FB9-6DF1-46EA-B6A0-6403640115D6} (see figure II).
Figure II
5, restart the computer.