msn.photo.iquebec.com

[Malekal_morte]

Pour désinfecter son PC, se reporter à la page suivante : https://www.malekal.com/virus_MSN_c_est_pas_toi.php

Variante de cette infection : viewtopic.php?f=57&t=8742
Infection se propageant via le lien Web : hxxp://msn.photo.iquebec.com/?photo=xxxxxx

Lors de l'exécution du fichier proposé en téléchargement, l'image suivante s'ouvre :

avec le message :

im paki usman ahzaz, i swim in money $$$,
iwant to you to swim with me!!! send this file to all friends and join me!!

L'infection s'installe en ajoutant la ligne suivante sur HijackThis :

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\zotjoup.exe

Le fichier .exe a un nom aléatoire et utilise une technologie de rookit.

Scan du fichier droppant l'infection :

File xxxx_photo2.com received on 03.16.2008 19:04:39 (CET)
Current status: finished
Result: 11/32 (34.38%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - -
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - Heur.Invader
McAfee - - -
Microsoft - - VirTool:Win32/Obfuscator.Z
NOD32v2 - - a variant of Win32/TrojanDropper.Agent.NIN
Norman - - -
Panda - - Suspicious file
Prevx1 - - Heuristic: Suspicious File With Anti-Security Technology
Rising - - -
Sophos - - Sus/UnkPacker
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: 46b58f4c5d58cb1d958603a6b80b6f37
SHA1: 2d5490dd85ab688cddb7b30834c1d5c0b97ad68e
SHA256: 3022b496ad19f7ac04543ab6010e00b43687fc3fbbd24fa1a6b2c6f89a1c0a01

[Malekal_morte]

Scan d'un dropper encore actif.
Encore une fois et toujours : McAfee, Norton et Avast! sont à la rue.

File pseudo_msn_photo09.com received on 03.24.2008 05:42:52 (CET)
Current status: finished
Result: 15/32 (46.88%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - BackDoor.Ircbot.DOV
BitDefender - - GenPack:Trojan.Downloader.Agent.ZEE
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - -
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - Trojan.Crypt.XPACK
Kaspersky - - Trojan.Win32.DNSChanger.bmj
McAfee - - -
Microsoft - - Worm:Win32/Pakabot.O
NOD32v2 - - a variant of Win32/TrojanDropper.Agent.NIN
Norman - - W32/Smalltroj.DMDC
Panda - - Suspicious file
Prevx1 - - Heuristic: Suspicious File With Bad Child Associations
Rising - - -
Sophos - - Mal/Generic-A
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: 81b6d8ad3c268348d96ca2b33fb7bcb1
SHA1: 9fbaf69e93054988e5fd49342441756e67a80427
SHA256: 5afd44f805bb331feed0a7ca8b00528e904cdedbdf59915b998f90880ebed6c8
SHA512: fc1857ff0811e6743478473c29252aa240a6fd7829ee23f037cdccd593655883 6ca3779a21588146ef26eba8041e252e73516d33fd579082f4e70b668a01c329

[Malekal_morte]

Nouvelle variante...

Adresses envoyées aux contacts :
http://image-msn.iquebec.com/?photo=pseudo_msn
http://msn-picture.iquebec.com/?photo=pseudo_msn

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\xxx\LOCALS~1\Temp\qnrwéé£'£'%''msn'è%'fix''.exe
O4 - HKLM\..\Run: [Flash Media] "C:\DOCUME~1\xxxt\LOCALS~1\Temp\qnrwéé£'£'%''msn'è%'fix''.exe"

Le fichier est aléatoire avec "msn' et 'fix".exe à la fin, ex:
bsxￜￜ'ￜ'%''msn'ￜ%'fix''.exe
qkqnéé£'£'%''msn'è%'fix''.exe
qkqnéé£'£'%''msn'è%'fix''.exe

Scan du dropper :

File msn-diabolochocolatt_photo09.com. received on 03.24.2008 13:28:51 (CET)
Current status: finished
Result: 10/32 (31.25%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.3.22.1 2008.03.24 -
AntiVir 7.6.0.75 2008.03.23 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.22 -
Avast 4.7.1098.0 2008.03.24 -
AVG 7.5.0.516 2008.03.23 -
BitDefender 7.2 2008.03.24 -
CAT-QuickHeal 9.50 2008.03.21 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.24 -
DrWeb 4.44.0.09170 2008.03.24 -
eSafe 7.0.15.0 2008.03.18 Suspicious File
eTrust-Vet 31.3.5633 2008.03.21 -
Ewido 4.0 2008.03.24 -
FileAdvisor 1 2008.03.24 -
Fortinet 3.14.0.0 2008.03.24 -
F-Prot 4.4.2.54 2008.03.23 -
F-Secure 6.70.13260.0 2008.03.24 -
Ikarus T3.1.1.20 2008.03.24 -
Kaspersky 7.0.0.125 2008.03.24 Heur.Invader
McAfee 5257 2008.03.21 -
Microsoft 1.3301 2008.03.24 VirTool:Win32/Obfuscator.Z
NOD32v2 2968 2008.03.24 a variant of Win32/TrojanDropper.Agent.NIN
Norman 5.80.02 2008.03.20 -
Panda 9.0.0.4 2008.03.23 Suspicious file
Prevx1 V2 2008.03.24 -
Rising 20.37.02.00 2008.03.24 -
Sophos 4.27.0 2008.03.24 Sus/UnkPacker
Sunbelt 3.0.978.0 2008.03.18 VIPRE.Suspicious
Symantec 10 2008.03.24 -
TheHacker 6.2.92.252 2008.03.22 -
VBA32 3.12.6.3 2008.03.21 -
VirusBuster 4.3.26:9 2008.03.23 -
Webwasher-Gateway 6.6.2 2008.03.24 Trojan.Crypt.XPACK.Gen
Additional information
File size: 91291 bytes
MD5: 4db22b987f87d86f7b5c2b59f4ea49ab
SHA1: 9b1aabe9138bd3b75f02921b220c2e281f73afdf
PEiD: -

[Malekal_morte]

On passe de 10/32 (31.25%) à 13/32 (40.63%)

File aleatoire_photo_photo09.com received on 03.25.2008 22:19:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 13/32 (40.63%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.25 -
AntiVir 7.6.0.75 2008.03.25 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.25 -
Avast 4.7.1098.0 2008.03.24 -
AVG 7.5.0.516 2008.03.25 BackDoor.Ircbot.7.AP
BitDefender 7.2 2008.03.25 -
CAT-QuickHeal 9.50 2008.03.24 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.25 -
DrWeb 4.44.0.09170 2008.03.25 -
eSafe 7.0.15.0 2008.03.18 Suspicious File
eTrust-Vet 31.3.5641 2008.03.25 -
Ewido 4.0 2008.03.25 -
F-Prot 4.4.2.54 2008.03.25 -
F-Secure 6.70.13260.0 2008.03.25 -
FileAdvisor 1 2008.03.25 -
Fortinet 3.14.0.0 2008.03.25 -
Ikarus T3.1.1.20 2008.03.25 Trojan.Crypt.XPACK
Kaspersky 7.0.0.125 2008.03.25 Heur.Invader
McAfee 5259 2008.03.25 -
Microsoft 1.3301 2008.03.25 Worm:Win32/Pakabot.Q
NOD32v2 2971 2008.03.25 a variant of Win32/TrojanDropper.Agent.NIN
Norman 5.80.02 2008.03.25 W32/Smalltroj.DNXB
Panda 9.0.0.4 2008.03.25 Suspicious file
Prevx1 V2 2008.03.25 -
Rising 20.37.02.00 2008.03.24 -
Sophos 4.27.0 2008.03.25 Sus/UnkPacker
Sunbelt 3.0.978.0 2008.03.18 VIPRE.Suspicious
Symantec 10 2008.03.25 -
TheHacker 6.2.92.254 2008.03.25 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.25 -
Webwasher-Gateway 6.6.2 2008.03.25 Trojan.Crypt.XPACK.Gen
Additional information
File size: 91291 bytes
MD5: 4db22b987f87d86f7b5c2b59f4ea49ab
SHA1: 9b1aabe9138bd3b75f02921b220c2e281f73afdf
PEiD: -

Aucune évolution : Result: 15/32 (46.88%)

File pseudo_msn_photo09.com received on 03.25.2008 22:19:18 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 15/32 (46.88%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.25 -
AntiVir 7.6.0.75 2008.03.25 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.25 -
Avast 4.7.1098.0 2008.03.24 -
AVG 7.5.0.516 2008.03.25 BackDoor.Ircbot.DOV
BitDefender 7.2 2008.03.25 GenPack:Trojan.Downloader.Agent.ZEE
CAT-QuickHeal 9.50 2008.03.24 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.25 -
DrWeb 4.44.0.09170 2008.03.25 -
eSafe 7.0.15.0 2008.03.18 Suspicious File
eTrust-Vet 31.3.5641 2008.03.25 -
Ewido 4.0 2008.03.25 -
F-Prot 4.4.2.54 2008.03.25 -
F-Secure 6.70.13260.0 2008.03.25 -
FileAdvisor 1 2008.03.25 -
Fortinet 3.14.0.0 2008.03.25 -
Ikarus T3.1.1.20 2008.03.25 Trojan.Crypt.XPACK
Kaspersky 7.0.0.125 2008.03.25 Trojan.Win32.DNSChanger.bmj
McAfee 5259 2008.03.25 -
Microsoft 1.3301 2008.03.25 Worm:Win32/Pakabot.O
NOD32v2 2971 2008.03.25 a variant of Win32/TrojanDropper.Agent.NIN
Norman 5.80.02 2008.03.25 W32/Smalltroj.DMDC
Panda 9.0.0.4 2008.03.25 Suspicious file
Prevx1 V2 2008.03.25 Heuristic: Suspicious File With Bad Child Associations
Rising 20.37.02.00 2008.03.24 -
Sophos 4.27.0 2008.03.25 Mal/Generic-A
Sunbelt 3.0.978.0 2008.03.18 VIPRE.Suspicious
Symantec 10 2008.03.25 -
TheHacker 6.2.92.254 2008.03.25 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.25 -
Webwasher-Gateway 6.6.2 2008.03.25 Trojan.Crypt.XPACK.Gen
Additional information
File size: 91291 bytes
MD5: 81b6d8ad3c268348d96ca2b33fb7bcb1
SHA1: 9fbaf69e93054988e5fd49342441756e67a80427
PEiD: -

[Malekal_morte]

Result: 13/32 (40.63%) --> Result: 14/32 (43.75%)
BitDefender qui l'a ajouté.

File aleatoire_photo_photo09.com received on 03.26.2008 17:53:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 14/32 (43.75%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.26 -
AntiVir 7.6.0.75 2008.03.26 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.26 -
Avast 4.7.1098.0 2008.03.26 -
AVG 7.5.0.516 2008.03.26 BackDoor.Ircbot.7.AP
BitDefender 7.2 2008.03.26 Trojan.IRCBot.YD
CAT-QuickHeal 9.50 2008.03.26 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.26 -
DrWeb 4.44.0.09170 2008.03.26 -
eSafe 7.0.15.0 2008.03.18 Suspicious File
eTrust-Vet 31.3.5644 2008.03.26 -
Ewido 4.0 2008.03.26 -
F-Prot 4.4.2.54 2008.03.26 -
F-Secure 6.70.13260.0 2008.03.26 -
FileAdvisor 1 2008.03.26 -
Fortinet 3.14.0.0 2008.03.26 -
Ikarus T3.1.1.20 2008.03.26 Trojan.Crypt.XPACK
Kaspersky 7.0.0.125 2008.03.26 Heur.Invader
McAfee 5260 2008.03.26 -
Microsoft 1.3301 2008.03.26 Worm:Win32/Pakabot.Q
NOD32v2 2975 2008.03.26 a variant of Win32/TrojanDropper.Agent.NIN
Norman 5.80.02 2008.03.26 W32/Smalltroj.DNXB
Panda 9.0.0.4 2008.03.25 Suspicious file
Prevx1 V2 2008.03.26 -
Rising 20.37.22.00 2008.03.26 -
Sophos 4.27.0 2008.03.26 Mal/Generic-A
Sunbelt 3.0.978.0 2008.03.18 VIPRE.Suspicious
Symantec 10 2008.03.26 -
TheHacker 6.2.92.255 2008.03.26 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.26 -
Webwasher-Gateway 6.6.2 2008.03.26 Trojan.Crypt.XPACK.Gen
Additional information
File size: 91291 bytes
MD5: 4db22b987f87d86f7b5c2b59f4ea49ab
SHA1: 9b1aabe9138bd3b75f02921b220c2e281f73afdf
PEiD: -

Le scan n'a pas bougé : Result: 15/32 (46.88%)

File pseudo_msn_photo09.com received on 03.26.2008 17:53:29 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 15/32 (46.88%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.26 -
AntiVir 7.6.0.75 2008.03.26 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.26 -
Avast 4.7.1098.0 2008.03.26 -
AVG 7.5.0.516 2008.03.26 BackDoor.Ircbot.DOV
BitDefender 7.2 2008.03.26 GenPack:Trojan.Downloader.Agent.ZEE
CAT-QuickHeal 9.50 2008.03.26 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.26 -
DrWeb 4.44.0.09170 2008.03.26 -
eSafe 7.0.15.0 2008.03.18 Suspicious File
eTrust-Vet 31.3.5644 2008.03.26 -
Ewido 4.0 2008.03.26 -
F-Prot 4.4.2.54 2008.03.26 -
F-Secure 6.70.13260.0 2008.03.26 -
FileAdvisor 1 2008.03.26 -
Fortinet 3.14.0.0 2008.03.26 -
Ikarus T3.1.1.20 2008.03.26 Trojan.Crypt.XPACK
Kaspersky 7.0.0.125 2008.03.26 Trojan.Win32.DNSChanger.bmj
McAfee 5260 2008.03.26 -
Microsoft 1.3301 2008.03.26 Worm:Win32/Pakabot.O
NOD32v2 2975 2008.03.26 a variant of Win32/TrojanDropper.Agent.NIN
Norman 5.80.02 2008.03.26 W32/Smalltroj.DMDC
Panda 9.0.0.4 2008.03.25 Suspicious file
Prevx1 V2 2008.03.26 Heuristic: Suspicious File With Bad Child Associations
Rising 20.37.22.00 2008.03.26 -
Sophos 4.27.0 2008.03.26 Mal/Generic-A
Sunbelt 3.0.978.0 2008.03.18 VIPRE.Suspicious
Symantec 10 2008.03.26 -
TheHacker 6.2.92.255 2008.03.26 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.26 -
Webwasher-Gateway 6.6.2 2008.03.26 Trojan.Crypt.XPACK.Gen
Additional information
File size: 91291 bytes
MD5: 81b6d8ad3c268348d96ca2b33fb7bcb1
SHA1: 9fbaf69e93054988e5fd49342441756e67a80427
PEiD: -

Nouvelle variante :

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ Flash Media = "%System%\^^^^^.exe"

so that ^^^^^.exe runs every time Windows starts

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htc]
+ Content Type = "{space}"
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
+ Userinit = "%System%\userinit.exe,%System%\^^^^^.exe"

so that ^^^^^.exe runs every time Windows starts

File thierry_photo09.com received on 03.26.2008 17:44:22 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 14/32 (43.75%)


Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.26 -
AntiVir 7.6.0.75 2008.03.26 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.26 -
Avast 4.7.1098.0 2008.03.26 -
AVG 7.5.0.516 2008.03.26 BackDoor.Ircbot.7.AP
BitDefender 7.2 2008.03.26 Trojan.Agent.AHPH
CAT-QuickHeal 9.50 2008.03.26 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.26 -
DrWeb 4.44.0.09170 2008.03.26 -
eSafe 7.0.15.0 2008.03.18 Suspicious File
eTrust-Vet 31.3.5644 2008.03.26 -
Ewido 4.0 2008.03.26 -
F-Prot 4.4.2.54 2008.03.26 -
F-Secure 6.70.13260.0 2008.03.26 -
FileAdvisor 1 2008.03.26 -
Fortinet 3.14.0.0 2008.03.26 -
Ikarus T3.1.1.20 2008.03.26 -
Kaspersky 7.0.0.125 2008.03.26 Heur.Invader
McAfee 5259 2008.03.25 -
Microsoft 1.3301 2008.03.26 VirTool:Win32/Obfuscator.Z
NOD32v2 2975 2008.03.26 a variant of Win32/TrojanDropper.Agent.NIN
Norman 5.80.02 2008.03.26 W32/Smalltroj.DOGG
Panda 9.0.0.4 2008.03.25 Suspicious file
Prevx1 V2 2008.03.26 Heuristic: Suspicious File With Bad Child Associations
Rising 20.37.22.00 2008.03.26 -
Sophos 4.27.0 2008.03.26 Sus/UnkPacker
Sunbelt 3.0.978.0 2008.03.18 VIPRE.Suspicious
Symantec 10 2008.03.26 -
TheHacker 6.2.92.255 2008.03.26 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.26 -
Webwasher-Gateway 6.6.2 2008.03.26 Trojan.Crypt.XPACK.Gen
Additional information
File size: 91291 bytes
MD5: c2e99c9af8a97e5dd7f04b92485bf2a9
SHA1: 7676d20fa952fa7bbe0c4c4ba1a85cdc6e06c11a
PEiD: -

[Malekal_morte]

Fichier salena_6141_photo05.com reçu le 2008.04.05 21:25:52 (CET)
Situation actuelle: terminé
Résultat: 12/32 (37.50%)
Formaté Formaté

Impression des résultats Impression des résultats
Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.4.4.1 2008.04.04 -
AntiVir 7.6.0.81 2008.04.04 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.04.05 -
Avast 4.7.1098.0 2008.04.04 -
AVG 7.5.0.516 2008.04.05 BackDoor.Ircbot.7.AP
BitDefender 7.2 2008.04.05 Packer.Malware.NaN.A
CAT-QuickHeal 9.50 2008.04.05 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.04.05 -
DrWeb 4.44.0.09170 2008.04.05 -
eSafe 7.0.15.0 2008.04.01 Suspicious File
eTrust-Vet 31.3.5672 2008.04.04 -
Ewido 4.0 2008.04.05 -
F-Prot 4.4.2.54 2008.04.05 -
F-Secure 6.70.13260.0 2008.04.05 -
FileAdvisor 1 2008.04.05 -
Fortinet 3.14.0.0 2008.04.05 -
Ikarus T3.1.1.20 2008.04.05 -
Kaspersky 7.0.0.125 2008.04.05 Heur.Invader
McAfee 5267 2008.04.04 -
Microsoft 1.3408 2008.04.05 VirTool:Win32/Obfuscator.Z
NOD32v2 3004 2008.04.05 a variant of Win32/TrojanDropper.Agent.NIN
Norman 5.80.02 2008.04.04 -
Panda 9.0.0.4 2008.04.05 Suspicious file
Prevx1 V2 2008.04.05 -
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.05 Sus/UnkPacker
Sunbelt 3.0.1032.0 2008.04.05 VIPRE.Suspicious
Symantec 10 2008.04.05 -
TheHacker 6.2.92.265 2008.04.04 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.04.05 -
Webwasher-Gateway 6.6.2 2008.04.04 Trojan.Crypt.XPACK.Gen
Information additionnelle
File size: 91803 bytes
MD5...: 8ec99405878212340c67fa3d89aa561d
SHA1..: 0ff2dc99c3b62bfb170892ca1bac5b9a607ebada
SHA256: 3f923a69ff948cdd4b6f55d26f18b37b0c989b167a0f4807b597e026169a4f5b
SHA512: 96898e88c0784f6898264d40c4774455f2ff6086b4be974faaf9b46c32e0c484
553bbe700ec94b8867ab6ac774bb33ba6e0bbd71196cb228be198ecd0dff9f62