Micro Computer Service - Brockville

NEWS and ALERTS

This area contains news and alerts ranging from everyday geek stuff to the latest security threats.  If you need assistance with anything you read below, please send a message - a phone call will do little good, as most instructions will have to be emailed or sent via computer anyway.


Skype Trojan, Virus, Worm
Posted by Administrator (admin) on Nov 01 2007 at 20:31
Newz >>

There appears to be a Trojan/Virus/Worm on the loose that attacks Skype, and the people on your contact list.  If you receive an IM that appears to be a link from a trusted source - do not click it.

The wording in the message varies, but I have been able to grab these variations from other sources on the 'net:

[02:11:52] NAME SAYS: hey
[02:11:53] NAME SAYS: how are u ? :)
[02:12:03] NAME SAYS: your photos looks realy nice
[02:12:05] NAME SAYS: look what crazy photo Tiffany sent to me,looks cool
[02:12:06] NAME SAYS: http://www.myimagespace.net/erotic-gallerys/usr5d8c/


[02:12:08] NAME SAYS: really funny
[02:12:11] NAME SAYS: http://www.fakme.org/erotic-gallerys/usr5d8c/
[02:12:16] NAME SAYS: (rofl)
[02:12:18] NAME SAYS: what ur friend name wich is in photo ?
[02:12:21] NAME SAYS: (devil)


[20:01:52] NAME SAYS: hey
[20:02:05] NAME SAYS: where I put ur photo
[20:02:10] NAME SAYS: http://www.fakme.org/erotic-gallerys/usr5d8c/
[20:02:20] NAME SAYS: what ur friend name wich is in photo ?
[20:02:23] NAME SAYS: (rofl)


[20:51:45] NAME SAYS: hey
[20:51:46] NAME SAYS: how are u ?
[20:52:00] NAME SAYS: where I put ur photo
[20:52:02] NAME SAYS: haha lol
[20:52:05] NAME SAYS: http://www.fakme.org/erotic-gallerys/usr5d8c/


[20:35:43] NAME SAYS: where I put ur photo
[20:35:51] NAME SAYS: http://www.myimagespace.net/erotic-gallerys/usr5d8c/
[20:36:03] NAME SAYS: you checked ?


[09:43:49] NAME SAYS: how are u ? :)
[09:43:49] NAME SAYS: look
[09:43:54] NAME SAYS: really funny
[09:43:59] NAME SAYS: http://www.fakme.org/erotic-gallerys
[09:44:10] NAME SAYS: what ur friend name wich is in photo ?
[09:44:13] NAME SAYS: :D

If the link is clicked you will be directed to download an executable .SCR file from socsec.co.il that will install malicious code.  The system HOST file also seems to be edited to keep your computer from receiving virus updates.

This worm copies itself to the following locations, so delete these files:

%SYSDIR%\stwinsdat.exe
%SYSDIR%\odcwinst.exe
%SYSDIR%\windb32.exe
%SYSDIR%\servftc.exe

The registry is altered in order to run the process after reboot, remove these entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• Windows Sysdat="explorer.exe odcwinst.exe"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• "Logon Settings2"="odcwinst.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• "Policies Options2"="o﷽﷽�ā쵨ĊⷨĂ"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• System Driver2=-

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• "Services Start2"="odcwinst.exe"

The following registry keys are added, remove these entries:

HKLM\Software\RMX\cfg
• j="j"

HKCU\Software\RMX\cfg
• j="j"

The host file is altered to avoid contact with AntiVirus sites, and definition updates. Remove all entries from the Host file.

Back

 

The list of How-To's

Turn off System Restore
Edit the System Registry  Edit the HOSTs file 
     
     
     
     
     
     
     
     
     
 

All content (c) Micro Computer Service ::: User online: 1