posted 10-10-2001 02:04 PM               

Printer-friendly version Tell a Friend

This worm is a Visual Basic 6 (VB6) program that spreads using MSN Messenger. It requires Msvbvm60.dll to run.

Type: Worm

Infection Length: 49,152 bytes

Virus Definitions: August 8, 2001

Threat Assessment:

Wild:
Low Damage:
Low Distribution:
Low

Wild:

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Distribution:

Name of attachment: pic1324.exe
Size of attachment: 49,152 bytes
Target of infection: MSN messenger users

Technical description:

Activation
When activated, this worm registers its process to the system as MsgSprd.

It next creates the value

MSN Messenger %download location%\PIC1324.exe

in the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run

and displays the following message:

It remains active (silently), waiting for contacts to send you messages by MSN messenger.

Contact
When a contact is made by MSN Messenger, this worm waits a few seconds and sends the following message to the contact:

hey, want me to send my new pic?
i took it yesterday

If the contact responds with any of the following key words in their message:

yes
sure
yea
guess
send
there
maybe
ok cool

it sends itself to that contact along with the message

alright, here ya go
i hope you like it

Other information
This worm contains the following text inside itself:

I come in piece. My name is Jerry.
The purpose of me is to spread. I'm not annoying, nor dangerous.

Removal instructions:

To remove this worm, you must:

Terminate the application registered as MsgSprd.
Delete infected files.
Remove the registry value that was added by the worm.

To terminate the application:
1. Press Ctrl+Alt+Delete one time.
2. If you are running Windows NT/2000, click Task Manager.
3. In the list box (on the Applications tab if you are running Windows NT/2000) select MsgSprd.
4. Click End Task.

To delete infected files:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan. Be sure that NAV is configured to scan all files.
3. Delete all files that are detected as W32.Annoying.Worm.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before you proceed. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run

4. In the right pane, delete the following value:

MSN Messenger %download location%\PIC1324.exe

5. Click Registry, and then click Exit.

Write-up by: Atli Gudmundsson "

posted 10-10-2001 03:07 PM               

for removal.

Better still sign up for a trial of Sophos Anti-Virus at Sophos.co.uk

It will do the clean up automatically.

If you or anyone else needs help on virus clean up / security in general please email me or MSN chat tswippet@hotmail.com

------------------