UPDATED:

To make your life easy, you can download a removal tool (thanks to Matrixalaya and YoTsi) to KILL this worm and remove related files.

————————————————————

Yesterday, I received a zip file without given second thought from my Window Live Messenger, then, I unzip the file and worst was I activated it. Immediately after that, my computer was infected by a worm.

This is how the worm spreads through MSN or Window Live Messenger.

After infected by that nasty worm, it will send out the file “img807.zip” together with messages look very curious to other contacts who currently on-line from your MSN or Window Live Messenger contacts list automatically. The other contacts will thought you are the one send out this file.

The messages send together with the file are as below

Did you take this picture?
Is that you on the left?
How drunk was I in this picture?
Is that your mom in this picture?
lol, your mom just sent me this picture?

The .zip file contains a .com file “img807.jpg-www.photoalbums.com”, which actually is Win32.Backdoor.IRCBot (Lavasoft definition) or Backdoor.Win32.IRCBot.zi (Sophos definition).

When it is activated it will creates a file in Drive C:

C:\windows\vpcrtf.exe

Besides, it will creates a registry entry too

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Microsoft Visual Application”=”vpcrtf.exe”

How to remove it? I learned this method (thanks to friend of mine in Japan, Shipng) after I spent my whole day to reformat my computer (#¤%&@%¤#@)

Delete the registry entry first:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“Microsoft Visual Application”=”vpcrtf.exe”

and then restart your computer, and delete the files at Drive C:
%windows%\vpcrtf.exe
%windows%\img807.zip

However, I would like to suggest you scan your computer again with Ad-Adware SE after you have done that (if you are unlucky as me).

TechTags Plugin [ worm | trojan | Win32.Backdoor.IRCBot | Backdoor.Win32.IRCBot.zi | img807.jpg-www.photoalbums.com | img807.zip ]

• Beware of a worm spreads through instant messenger
• A handy tool for Window Live Messenger users
• Freeware I’m using, ReNamer
• Features Windows Should Have (but Doesn’t)
• Amsterdam Red light district
• Fujitsu Siemens AMILO Pro
• Cecilia Chung, Gillian Chung & Edison Chen scandal

This entry was posted by KJ Lim on Tuesday, August 14th, 2007 at 9:53 pm and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.