[keane]

In the last 5 minutes I have recieved two file transfers from my trusted contacts, asking me to accept a .pif file, it seems that this is a new worm.

I haven't found anything on the net about this worm yet, but just don't accept these requests, and since I'm on my mac I can't dissect it more.

More to come..

Edit: Heh, I looked at it it's written in vb6... If any one more skilled than I at vb6 disassembly would like to take a look PM me.

This post has been edited by keane: 20 January 2005 - 03:02 AM

[noroom]

any filenames? filesizes we should watch?

who sends .pif anyway, lol

[keane]

Filenames: Webcam_004.pif, sexy_bedroom.pif
Size: Both I have seen are 156kb

I have looked at it, what it does:

1. Sets your volume down all the way, so you don't hear the messages?
2. Copies itself to c:\windows\system32\lexplore.exe with readonly and hidden attributes.
3. Puts a key in the registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lexplore, so that it boots at runtime.
4. Locks up explorer. (disables right click and task manager)
5. Uses the windows messenger api to send file transfers to every online contact, every 5 seconds.

Oh yea, as for the .pif, it's basically a windows PE renamed to pif, I guess to trick people, it almost tricked me. I thought it was an image TBH.


I have made a program to remove it, PM me for it.

This post has been edited by keane: 15 February 2005 - 02:00 AM

[Doggie]

isnt new, its been around for a few months, funnily getting sent to people living in canada, the irony :lol:

[Daniel]

Linked on Mess: http://www.f-secure..../bropia_a.shtml

[keane]

Heh, the f-secure descriptoin is just alittle nicer than mine ;)

Is it only being sent to canadians? doggie I'm confused.

[Crack_X]

I think he means that its spreading more in canada , havent seen that virus here in dominican republic yet

[GaZ]

doesnt supprise me it hasnt spread.. most people have contacts that live locally to them only some have over-seas contacts so the delay will be much longer... plus if its every 5secs people will be wary, as there have been other worms..

[Jnrz]

vb6 ¿?
then it needs the vb6 run time libraries which I dont have :P

[Doggie]

then thats what you call a lame worm :P

[Damian152]

keane thank you for the program, but does it remove the registry logs too or just the worm?

I mean do i have to go back and delete any registry logs or something like that?

[keane]

Damian152, on Feb 2 2005, 05:04 PM, said:

...  does it remove the registry logs too?  ...

Yes.

This post has been edited by keane: 15 February 2005 - 02:01 AM

[keane]

Oh now it's mutated and is sending links.

The link I've recieved is: http://members.home....l/handcuffs.pif

Basic rule of thumb, don't run/download PIF files

[noroom]

norton didn't pick that one out as a virus :o

[Sev3r]

ya just got that like 5 minutes ago. the handcuffs.pif one. wonderin if anyone knows how to remove it yet.

[AMRMAX]

I juz got it too. It started poping up www.searchmiracle.com popups. Please help us, Keane.

[keane]

As much as I'd love to help, I just can't right now.... really sorry to everyone, I'm just extremely busy with everything right now. In the mean time if you just want to get rid of the messages it sends to people just uninstall windows messenger.