Backdoor.Win32.SdBot.cjn party_jpg.zip/www.party_jpg_Msn.com

[Malekal_morte]

Pour supprimer l'infection, Supprimer virus MSN party_jpg

Infection se propageant par MSN utilisant le social engineering pour faire croire à la personne que sa liste de contact MSN est sur un site WEB à l'adresse suivante :
Si la personne clic sur le lien et télécharge le fichier c'est l'infection.
party_jpg.zip (http://www.party_jpg_Msn.com)

En Français :
Les messages de propagation sont en divers langues, du style :
eeeh c mes tof :p
c seulement mes tof de derniers vacances
tu dois voire les tof de notre bande
comment est-ce que je regarde sur cette photo ?
le ceci est dr
ma soeur a voulu que tu regarde ca
faut de la reproduction sonore avez-vous vu ceci ?

Autres langues :
r egentligen trevliga: P
gyckel m
ste se dig detta fotografera
du fick se detta dess galet :p
estes s
o realmente agrad
veis :P
wow voc
viu este?
como voc
gosta de me nesta foto
voc
come
ou ver este seu assim engra
ado
Bu resimler nasil sence bir bakarmisin
su komik resimlerime baksana
bak :P
Kiz kardesim bunlari sana yollamami s
yledi ;)
bu resimler space i
in nasil
Space ime bun resimleri eklesem sence nasil olur
avete ottenuto vedere questo relativo cos
divertente
come lo pensate osservi qui
sguardo di a questo
controllo di distorsione di velocit
questo fuori
el mi hermana quisiera que le enviara este
lbum de foto
vengo de fi este foto
lbum
Hey i que hace el
lbum de foto! Si vea el loL del em
El tipo, me acepta por favor su solamente
lbum de foto: (!
meine Schwester w
nscht mich Ihnen dieses Fotoalbum schicken
Geck, nehmen bitte sein nur mich Fotoalbum an: (!
he m
chten mein neues Fotoalbum sehen?
hoe vind je dit er uit zien ?
hoe vind je dit ?
echt erg kijk dan
zo hee moet je dit zien echt niet normaal
zo moet je me hier op zien
he hoe vind je me hier op
looooook :p
loooooooooooool
he looks weird on this photo
omg check this out man this is funny
you got to see this

L'infection ajoute les fichiers suivants :

C:\WINDOWS\party_jpg.zip
C:\WINDOWS\msimn.exe

L'infection ajoute la clef sur HijackThis :

O4 - HKLM\..\Run: [msimn.exe] C:\WINDOWS\msimn.exe

[Malekal_morte]

Le scan au 27/11

File msimn.exe received on 11.27.2007 15:25:56 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 11/32 (34.38%)


Antivirus Version Last Update Result
AhnLab-V3 2007.11.27.1 2007.11.27 -
AntiVir 7.6.0.34 2007.11.27 HEUR/Crypted
Authentium 4.93.8 2007.11.24 -
Avast 4.7.1074.0 2007.11.27 -
AVG 7.5.0.503 2007.11.27 IRC/BackDoor.SdBot3.WBP
BitDefender 7.2 2007.11.27 -
CAT-QuickHeal 9.00 2007.11.27 Backdoor.SdBot.gen
ClamAV 0.91.2 2007.11.27 PUA.Packed.Themida
DrWeb 4.44.0.09170 2007.11.27 -
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5329 2007.11.26 -
Ewido 4.0 2007.11.26 -
FileAdvisor 1 2007.11.27 -
Fortinet 3.14.0.0 2007.11.27 W32/SDBot.DC!tr.bdr
F-Prot 4.4.2.54 2007.11.27 -
F-Secure 6.70.13030.0 2007.11.27 SDBot.gen9
Ikarus T3.1.1.12 2007.11.27 Generic.Sdbot
Kaspersky 7.0.0.125 2007.11.27 -
McAfee 5171 2007.11.26 -
Microsoft 1.3007 2007.11.27 -
NOD32v2 2688 2007.11.27 -
Norman 5.80.02 2007.11.27 SDBot.gen9
Panda 9.0.0.4 2007.11.26 -
Prevx1 V2 2007.11.27 LoveBoom:Worm-a
Rising 20.20.12.00 2007.11.27 -
Sophos 4.23.0 2007.11.27 -
Sunbelt 2.2.907.0 2007.11.27 VIPRE.Suspicious
Symantec 10 2007.11.27 -
TheHacker 6.2.9.142 2007.11.26 -
VBA32 3.12.2.5 2007.11.27 -
VirusBuster 4.3.26:9 2007.11.26 -
Webwasher-Gateway 6.0.1 2007.11.27 Heuristic.Crypted
Additional information
File size: 559104 bytes
MD5: 8c6fd714266d8ddf7118672ddf0401fe
SHA1: af67f31b70dba1a099b663d690d4da77a365739f
packers: Themida

Le scan au 28/11, +10% de détection

File msimn.exe received on 11.28.2007 12:42:30 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 14/32 (43.75%)

Antivirus Version Last Update Result
AhnLab-V3 2007.11.28.1 2007.11.28 -
AntiVir 7.6.0.34 2007.11.28 HEUR/Crypted
Authentium 4.93.8 2007.11.28 -
Avast 4.7.1074.0 2007.11.27 -
AVG 7.5.0.503 2007.11.27 IRC/BackDoor.SdBot3.WBP
BitDefender 7.2 2007.11.28 Trojan.Downloader.JJFD
CAT-QuickHeal 9.00 2007.11.27 Backdoor.SdBot.gen
ClamAV 0.91.2 2007.11.28 PUA.Packed.Themida
DrWeb 4.44.0.09170 2007.11.28 -
eSafe 7.0.15.0 2007.11.28 -
eTrust-Vet 31.3.5333 2007.11.28 -
Ewido 4.0 2007.11.27 -
FileAdvisor 1 2007.11.28 -
Fortinet 3.14.0.0 2007.11.28 W32/SDBot.DC!tr.bdr
F-Prot 4.4.2.54 2007.11.28 -
F-Secure 6.70.13030.0 2007.11.28 Backdoor.Win32.SdBot.cjn
Ikarus T3.1.1.12 2007.11.28 Generic.Sdbot
Kaspersky 7.0.0.125 2007.11.28 Backdoor.Win32.SdBot.cjn
McAfee 5172 2007.11.27 -
Microsoft 1.3007 2007.11.28 Backdoor:Win32/Sdbot
NOD32v2 2690 2007.11.28 -
Norman 5.80.02 2007.11.27 SDBot.gen9
Panda 9.0.0.4 2007.11.26 -
Prevx1 V2 2007.11.28 LoveBoom:Worm-a
Rising 20.20.20.00 2007.11.28 -
Sophos 4.23.0 2007.11.28 -
Sunbelt 2.2.907.0 2007.11.27 VIPRE.Suspicious
Symantec 10 2007.11.28 -
TheHacker 6.2.9.144 2007.11.28 -
VBA32 3.12.2.5 2007.11.27 -
VirusBuster 4.3.26:9 2007.11.27 -
Webwasher-Gateway 6.6.2 2007.11.28 Heuristic.Crypted
Additional information
File size: 559104 bytes
MD5: 8c6fd714266d8ddf7118672ddf0401fe
SHA1: af67f31b70dba1a099b663d690d4da77a365739f
packers: Themida

[Malekal_morte]

File msimn.exe received on 11.30.2007 16:42:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 16/32 (50%)

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - Worm/SdBot.559104.1
Authentium - - -
Avast - - -
AVG - - IRC/BackDoor.SdBot3.WBP
BitDefender - - Trojan.Downloader.JJFD
CAT-QuickHeal - - Backdoor.SdBot.gen
ClamAV - - PUA.Packed.Themida
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - W32/SDBot.DC!tr.bdr
F-Prot - - -
F-Secure - - Backdoor.Win32.SdBot.cjn
Ikarus - - Generic.Sdbot
Kaspersky - - Backdoor.Win32.SdBot.cjn
McAfee - - -
Microsoft - - Backdoor:Win32/Sdbot
NOD32v2 - - IRC/SdBot
Norman - - SDBot.gen9
Panda - - -
Prevx1 - - IRC/BackDoor.SdBot3.WBP
Rising - - -
Sophos - - -
Sunbelt - - Trojan-Downloader.JJFD
Symantec - - -
TheHacker - - -
VBA32 - - Backdoor.Win32.SdBot.cjn
VirusBuster - - -
Webwasher-Gateway - - Worm.SdBot.559104.1
Additional information
MD5: 8c6fd714266d8ddf7118672ddf0401fe

[Malekal_morte]

File msimn.exe received on 12.01.2007 14:02:23 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 18/32 (56.25%)

Antivirus Version Last Update Result
AhnLab-V3 2007.12.1.0 2007.11.30 -
AntiVir 7.6.0.34 2007.11.30 Worm/SdBot.559104.1
Authentium 4.93.8 2007.12.01 -
Avast 4.7.1074.0 2007.11.30 -
AVG 7.5.0.503 2007.12.01 IRC/BackDoor.SdBot3.WBP
BitDefender 7.2 2007.12.01 Trojan.Downloader.JJFD
CAT-QuickHeal 9.00 2007.12.01 Backdoor.SdBot.gen
ClamAV 0.91.2 2007.12.01 PUA.Packed.Themida
DrWeb 4.44.0.09170 2007.12.01 -
eSafe 7.0.15.0 2007.11.29 -
eTrust-Vet 31.3.5340 2007.11.30 -
Ewido 4.0 2007.12.01 -
FileAdvisor 1 2007.12.01 -
Fortinet 3.14.0.0 2007.12.01 W32/SDBot.DC!tr.bdr
F-Prot 4.4.2.54 2007.11.30 -
F-Secure 6.70.13030.0 2007.11.30 Backdoor.Win32.SdBot.cjn
Ikarus T3.1.1.12 2007.12.01 Generic.Sdbot
Kaspersky 7.0.0.125 2007.12.01 Backdoor.Win32.SdBot.cjn
McAfee 5175 2007.11.30 W32/Sdbot.worm.gen.n
Microsoft 1.3007 2007.12.01 Backdoor:Win32/Sdbot
NOD32v2 2696 2007.11.30 IRC/SdBot
Norman 5.80.02 2007.11.30 SDBot.gen9
Panda 9.0.0.4 2007.12.01 W32/MSNFunny.D.worm
Prevx1 V2 2007.12.01 IRC/BackDoor.SdBot3.WBP
Rising 20.20.51.00 2007.12.01 -
Sophos 4.23.0 2007.12.01 -
Sunbelt 2.2.907.0 2007.12.01 Trojan-Downloader.JJFD
Symantec 10 2007.12.01 -
TheHacker 6.2.9.146 2007.11.30 -
VBA32 3.12.2.5 2007.12.01 Backdoor.Win32.SdBot.cjn
VirusBuster 4.3.26:9 2007.11.30 -
Webwasher-Gateway 6.6.2 2007.12.01 Worm.SdBot.559104.1
Additional information
File size: 559104 bytes
MD5: 8c6fd714266d8ddf7118672ddf0401fe
SHA1: af67f31b70dba1a099b663d690d4da77a365739f
packers: Themida

[Malekal_morte]

NextDoor Worm Spreads across MSN sur spywareguide.com qui décrit le foncitonnement du virus MSN : http://blog.spywareguide.com/2007/11/ne ... s_m_1.html